Documente Academic
Documente Profesional
Documente Cultură
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Customer Order Number: DOC-7813886=
Text Part Number: 78-13886-03
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT
ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR
THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION
PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as
part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE
PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED
OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
CCIP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ
Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and
Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All Thats Possible, The Fastest Way to
Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE,
CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital,
the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient,
IOS, IP/TV, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar,
SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S.
and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0208R)
Cisco Content Services Switch Basic Configuration Guide
Copyright 2002, Cisco Systems, Inc.
All rights reserved.
C ON T E NT S
CHAPTER
78-13886-03
iii
Contents
iv
78-13886-03
Contents
Contents
CHAPTER
vi
78-13886-03
Contents
CHAPTER
78-13886-03
vii
Contents
CHAPTER
viii
78-13886-03
Contents
ix
Contents
CHAPTER
Configuring Source Groups, ACLs, EQLs, URQLs, NQLs, and DQLs 5-1
Configuring Source Groups 5-2
Source Group Configuration Quick Start 5-2
Creating a Source Group 5-4
Source Group Commands 5-5
Configuring a Source Group for FTP Connections 5-7
Configuring Source Groups to Allow Servers to Internet-Resolve Domain
Names 5-9
Showing Source Groups 5-10
Clearing Source Group Counters 5-13
Configuring an Access Control List 5-14
Access Control List Overview 5-14
ACL Configuration Quick Start 5-16
Creating an ACL 5-17
Deleting an ACL 5-17
Configuring Clauses 5-17
Deleting a Clause 5-23
Logging ACL Activity 5-24
Applying an ACL to a Circuit or DNS Queries 5-25
Removing an ACL from a Circuit or DNS Queries 5-26
Globally Enabling ACLs 5-26
Showing ACLs 5-27
Setting the Show ACL Counters to Zero 5-29
ACL Example 5-29
Configuring Extension Qualifier Lists 5-30
Specifying an Extension Qualifier List in a Uniform Resource Locator 5-31
Showing EQL Extensions and Descriptions 5-32
Configuring Uniform Resource Locator Qualifier Lists 5-33
Creating a URQL 5-33
78-13886-03
Contents
CHAPTER
78-13886-03
xi
Contents
CHAPTER
xii
78-13886-03
Contents
xiii
Contents
xiv
78-13886-03
F I G U R E S
Figure 1-1
Figure 1-2
Figure 1-3
Figure 3-1
Figure 3-2
Figure 3-3
3-42
Figure 3-4
3-43
Figure 3-5
Figure 3-6
Figure 7-1
Figure 7-2
Figure 7-3
Figure 7-4
Figure 7-5
7-12
Figure 7-6
7-12
Figure 7-7
Figure 7-8
Figure 7-9
1-3
1-36
1-64
3-5
3-10
3-43
3-44
7-4
7-5
7-6
7-7
7-13
7-13
7-20
xv
Figures
xvi
78-13886-03
T A B L E S
Table 1-1
Table 1-2
Table 1-3
Table 1-4
Table 1-5
Table 1-6
Table 2-1
Table 2-2
Table 2-3
Table 2-4
Table 3-1
Table 3-2
Table 3-3
Table 3-4
Table 3-5
Table 4-1
4-8
Table 5-1
5-3
Table 5-2
Table 5-3
Table 5-4
Table 5-5
5-28
Table 5-6
5-32
Table 5-7
1-4
1-29
1-42
1-54
1-68
1-69
2-2
2-7
2-8
2-10
3-6
3-27
3-40
3-47
3-49
5-11
5-16
5-19
5-38
xvii
Tables
Table 5-8
Table 5-9
5-43
Table 5-10
5-47
Table 5-11
5-49
Table 6-1
6-3
Table 6-2
Table 7-1
Table 7-2
5-39
6-9
7-8
7-22
xviii
78-13886-03
Note
You must enter a software license key when you boot the CSS for the first time.
After you boot the CSS, you can activate a CSS software option (for example,
SSH) that you purchased using the license command. For more information, refer
to the Cisco Content Services Switch Hardware Installation Guide, Chapter 3,
Booting and Configuring the CSS.
xix
Audience
This guide is intended for the following trained and qualified service personnel
who are responsible for configuring the CSS:
Web master
System administrator
System operator
Description
xx
78-13886-03
Related Documentation
In addition to this document, the Content Services Switch documentation set
includes the following:
Document Title
Description
Release Note for the Cisco This release note provides information on
11500 Series Content
operating considerations, caveats, and CLI
Services Switch
commands for the Cisco 11500 series CSS.
Release Note for the Cisco This release note provides information on
11000 Series Content
operating considerations, caveats, and CLI
Services Switch
commands for the Cisco 11000 series CSS.
Cisco 11500 Series
Content Services Switch
Hardware Installation
Guide
xxi
Document Title
Description
OSPF
SNMP
RMON
DNS Sticky
Network proximity
Box-to-box redundancy
xxii
78-13886-03
Document Title
Description
Caution
Warning
Note
A caution means that a specific action you take could cause a loss of data or
adversely impact use of the equipment.
A warning describes an action that could cause you physical harm or damage
the equipment.
prompt.
Courier bold text
Italics text indicates the first occurrence of a new term, book title, and emphasized
text.
1.
A numbered list indicates that the order of the list items is important.
a. An alphabetical list indicates that the order of the secondary list items is
important.
xxiii
A bulleted list indicates that the order of the list topics is unimportant.
An indented list indicates that the order of the list subtopics is
unimportant.
Obtaining Documentation
These sections explain how to obtain documentation from Cisco Systems.
Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco
Documentation CD-ROM package, which is shipped with your product. The
Documentation CD-ROM is updated monthly and may be more current than
printed documentation. The CD-ROM package is available as a single unit or
through an annual subscription.
Ordering Documentation
You can order Cisco documentation in these ways:
Registered Cisco.com users (Cisco direct customers) can order Cisco product
documentation from the Networking Products MarketPlace:
http://www.cisco.com/cgi-bin/order/order_root.pl
xxiv
78-13886-03
Documentation Feedback
You can submit comments electronically on Cisco.com. In the Cisco
Documentation home page, click the Fax or Email option in the Leave
Feedback section at the bottom of the page.
You can e-mail your comments to bug-doc@cisco.com.
You can submit your comments by mail by using the response card behind the
front cover of your document or by writing to the following address:
Cisco Systems
Attn: Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
xxv
Cisco.com
Cisco.com is the foundation of a suite of interactive, networked services that
provides immediate, open access to Cisco information, networking solutions,
services, programs, and resources at any time, from anywhere in the world.
Cisco.com is a highly integrated Internet application and a powerful, easy-to-use
tool that provides a broad range of features and services to help you with these
tasks:
If you want to obtain customized information and service, you can self-register on
Cisco.com. To access Cisco.com, go to this URL:
http://www.cisco.com
xxvi
78-13886-03
The Cisco TAC resource that you choose is based on the priority of the problem
and the conditions of service contracts, when applicable.
xxvii
To obtain a directory of toll-free Cisco TAC telephone numbers for your country,
go to this URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
Before calling, please check with your network operations center to determine the
level of Cisco support services to which your company is entitled: for example,
SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When
you call the center, please have available your service agreement number and your
product serial number.
xxviii
78-13886-03
C H A P T E R
Configuring Services
This chapter describes how to configure services, configure load for services,
configure global keepalives, and use script keepalives with services. This chapter
also contains an overview of the association between services, owners, and
content rules. Information in this chapter applies to all CSS models except where
noted.
This chapter contains the following sections:
Configuring Services
1-1
Chapter 1
Configuring Services
An owner is generally the person or company who contracts the Web hosting
service to host their Web content and allocate bandwidth as required. Owners
can have multiple content rules.
Uses the owner content rule to translate the owner Virtual IP address (VIP) or
domain name using Network Address Translation (NAT) to the corresponding
service IP address and port.
2.
3.
Uses content rules to choose which service can best process the request for
content.
4.
Applies all content rules to service the request for content (for example,
load-balancing method, redirects, failover, stickiness).
1-2
78-13886-03
Chapter 1
Configuring Services
Service, Owner, and Content Rule Overview
Figure 1-1 illustrates the CSS service, owner, and content rule concepts.
Services, Owners, and Content Rules Concepts
Clients request
content from
www.arrowpoint.com
Clients request
content from
www.dogsRus.com
CSS NATs
www.arrowpoint.com
to VIP 192.1.1.43
CSS NATs
www.dogsRus.com
to VIP 172.1.1.89
Owner: arrowpoint
content rule: arrowrule1
Owner: frednmandi
content rule: fredrules
- VIP 192.1.1.43
- service Serv1
- protocol tcp
- port 80
- round-robin
- activate rule
- VIP 172.1.1.89
- service Serv2
- protocol tcp
- port 8080
- activate rule
Serv1
Serv2
Serv1 contains
content for
arrowpoint.com
Serv1 contains
content for
dogsRus.com
- IP address 10.0.0.8
- keepalive type ICMP
- protocol tcp
- port 8080
- activate service
- IP address 10.0.0.9
- keepalive type ICMP
- protocol tcp
- port 8080
- activate service
67865
Figure 1-1
1-3
Chapter 1
Configuring Services
2.
Create services. When you create a service, the CLI enters that service
mode, as shown in the command response below. To create additional
services, reenter the service command.
(config)# service serv1
(config-service[serv1])#
(config-service[serv1])# service serv2
(config-service[serv2])#
3.
4.
5.
active
service serv2
active
exit
1-4
78-13886-03
Chapter 1
Configuring Services
Configuring Services
Configuring Services
The following sections describe how to create and configure content services.
Note
Creating a Service
Specifying a Port
Specifying a Protocol
Configuring Weight
Activating a Service
Suspending a Service
Removing a Service
The CSS supports Adaptive Session Redundancy (ASR) on 11500 series CSS
peers in an active-backup VIP redundancy and virtual IP interface redundancy
environment to provide stateful failover of existing flows. For details on ASR,
refer to the Cisco Content Services Switch Advanced Configuration Guide,
Chapter 6, Configuring VIP and Virtual IP Interface Redundancy.
1-5
Chapter 1
Configuring Services
Configuring Services
Creating a Service
A service can be a destination location or entity that contains and provides
Internet content (for example, a server, an application on a server such as FTP, or
streaming audio). A service has a name that is associated with an IP address, and
optionally, a protocol and a port number.
By creating a service, you identify the service and enable the CSS to recognize it.
You can then apply content rules to services that allow the CSS to:
Enter the service name from 1 to 31 characters. For example, to create service
serv1, enter:
(config)# service serv1
1-6
78-13886-03
Chapter 1
Configuring Services
Configuring Services
When using the ip address range command, use IP addresses that are within the
subnet you are using. The CSS does not arp for IP addresses that are not on the
circuit subnet. For example, if you configure the circuit for 10.10.10.1/24 and
configure the VIP range as 10.10.10.2 range 400, the CSS will not arp for any IP
addresses beyond 10.10.10.254. Using the same example only with a VIP range
of 200, the CSS will arp for all IP addresses in the range.
For example, enter:
(config-service[serv1])# ip address 172.16.1.1 range 10
Specifying a Port
Use the port command to specify a service TCP/UDP port number or range of
port numbers. The TCP or UDP destination port number is associated with a
service. Enter the port number as an integer from 0 to 65535. The default is 0
(any).
For example, enter:
(config-service[serv1])# port 80
To specify a port to be used for keepalives, use the service mode keepalive port
command.
Use the range option to specify a range of port numbers starting with the port
number you specified using the port command. Enter a range number from 1 to
65535. The default range is 1. For example, if you enter a port number of 80 with
a range of 10, the port numbers will range from 80 through 89. You can use the
port range command only on local (default) services.
For example, enter:
(config-service[serv1])# port 80 10
1-7
Chapter 1
Configuring Services
Configuring Services
Specifying a Protocol
To specify a service IP protocol, use the protocol command. The default setting
for this command is any, for any IP protocol. The options for this command are:
Note
You can only use a service redirect domain on a service type redirect. You must
specify the domain command for a redirect service to obtain an applicable HTTP
redirect.
Note
1-8
78-13886-03
Chapter 1
Configuring Services
Configuring Services
Note
Note
or
(config-service[serv1])# domain 172.16.3.6
or
(config-service[serv1])# no domain 172.16.3.6
1-9
Chapter 1
Configuring Services
Configuring Services
Configuring Weight
To specify the relative weight of the service, use the weight command in service
mode. The CSS uses this weight when you configure ACA or weighted
roundrobin load balancing on a content rule. By default, all services have a weight
of 1. A higher weight will bias flows towards the specified service. To set the
weight for a service, enter a number from 1 to 10. The default is 1.
1-10
78-13886-03
Chapter 1
Configuring Services
Configuring Services
Note
Note
When you add a service to content rules, the service weight as configured in
service mode is applied to each rule as a server-specific attribute. To define a
content rule-specific server weight, use the add service weight command. This
command overrides the server-specific weight and applies only to the content rule
to which you add the service. For information on the add service weight
command, refer to Chapter 3, Configuring Content Rules.
Note
1-11
Chapter 1
Configuring Services
Configuring Services
type redirect - Define the service as a remote service to enable the CSS to
redirect content requests to the remote service when a local service is not
available (for example, the local service has exceeded its configured load
threshold). To configure a load threshold for a content rule, use the
load-threshold command in owner-content mode (refer to Chapter 3,
Configuring Content Rules, Specifying a Load Threshold). If you have
multiple remote services defined as type redirect, the CSS uses the
roundrobin load-balancing method to load balance requests between them.
When you add a type redirect service to a content rule, you must also
configure a URL to match on the content. For example, /* or
/vacations.html.
ssl-accel - Specify that this is an SSL acceleration service for the SSL
Acceleration Module (Cisco 11500 series CSS only). This allows you to:
Configure the service as an SSL acceleration service.
Add the SSL proxy list to an SSL service through the (config-service)
1-12
78-13886-03
Chapter 1
Configuring Services
Configuring Services
For example, to enable the CSS to redirect content requests for serv1, specify
redirect in the serv1 content rule:
(config-service[serv1])# type redirect
The local services are not active or configured, the rule hits the primary sorry
server.
The primary sorry server fails, the rule hits the secondary sorry server.
Redirect services and redirect content strings cannot be used with Layer 3 or 4
rules because they use the HTTP protocol.
When you configure a Layer 5 content rule, the CSS directs content requests to
local services. If:
The local services are not active or configured, the rule sends the HTTP
redirects with the location of the redirect services to the clients.
The local and redirect services are not active or configured, the rule forwards
the HTTP requests to the primary sorry server.
All services are down except the secondary sorry server, the rule forwards the
HTTP requests to the secondary sorry server.
1-13
Chapter 1
Configuring Services
Configuring Services
When you use this command to associate an FTP access mechanism with a
service, the base directory of an existing FTP record becomes the tree root. To
maintain coherent mapping between WWW daemons and FTP daemons, make the
FTP access base directory equivalent to the WWW daemon root directory as seen
by clients. For information on creating an FTP record, refer to the (config)
ftp-record command in the Cisco Content Services Switch Adminstration Guide,
Chapter 1, Logging in and Getting Started.
Enter the access FTP record as the name of the existing FTP record. Enter an
unquoted text string with no spaces.
For example, enter:
(config-service[serv1])# access ftp arrowrecord
Note
1-14
78-13886-03
Chapter 1
Configuring Services
Configuring Services
Note
Currently, you can use the transparent-hosttag command only with a CSS
operating in a Client Side Accelerator (CSA) environment. For details on CSA,
refer to the Content Service Switch Advanced Configuration Guide, Chapter 4,
Configuring a Client Side Accelerator.
Note
To disable destination NATing for the transparent cache service type, enter:
(config-service[serv1])# no transparent-hosttag
Note
Currently, you can use the bypass-hosttag command only with a CSS operating
in a CSA environment. For details on CSA, refer to the Cisco Content Services
Switch Advanced Configuration Guide, Chapter 4, Configuring a Client Side
Accelerator.
For example, enter:
(config-service[serv1])# bypass-hosttag
1-15
Chapter 1
Configuring Services
Configuring Services
Global keepalive configuration mode allows you to create a global keepalive and
configure its properties. Once you create and configure a global keepalive, you
can apply it to any service. Global keepalives supersede the individual keepalive
parameters configured in service mode. Applying a keepalive to multiple services
reduces the amount of configuration required for each service. See Configuring
Keepalives in Global Keepalive Mode later in this chapter for details.
Use the keepalive command to configure keepalive message parameters for a
service. With keepalive messages you can determine whether or not a service is
still functioning.
When you configure a keepalive for a service (or associate a service with a global
keepalive), the CSS periodically sends a message to the service based on the
keepalive frequency to determine the state of the service. See the Configuring
Keepalive Frequency section. The CSS considers the service to be alive when a
service responds to the keepalive message.
The CSS transitions the service to the dying state when the service fails to respond
to a keepalive message. The CSS tests whether the failed service is functional by
sending a keepalive message at time intervals based on the retry period. See the
Configuring Keepalive Retryperiod section.
1-16
78-13886-03
Chapter 1
Configuring Services
Configuring Services
The CSS transitions the service to the dead state if the service fails to respond a
maximum number of retries to the keepalive message. See the Configuring
Keepalive Maxfailure section. Then the CSS removes the service from the
load-balancing algorithm. The CSS continues to test whether the service is
functional at time intervals based on the retry period.
Thus, using the default values of a 5-second keepalive frequency interval, a
5-second retry period interval, and maximum of three failures, a service can
transition from the alive state to the dead state in 20 seconds; a 5-second interval
between a keepalive response and the initial keepalive failure based on the
keepalive frequency, and three failures, each occurring at 5-second intervals
based on the retry period.
The CSS supports a total of 2048 keepalives. Each of the following keepalives
types can have a maximum of 2048 keepalives: ICMP, TCP, HTTP-HEAD, and
SSL (HELLO).
Each of the following keepalive types can have a maximum of 256 keepalives:
HTTP-GET, FTP, and script. However, the total number of these keepalives
cannot exceed 512. Of the 256 script keepalives, you can configure a maximum
of 16 keepalives to use script output. For details on using script keepalives, see
Using Script Keepalives With Services later in this chapter.
These keepalives include:
Caution
ICMP, HTTP, TCP, FTP, SSL, and script keepalives configured and assigned
to a service through the (config-service) keepalive type command. Each time
you assign one of these keepalives to a service through this command, the
CSS counts it as one keepalive.
1-17
Chapter 1
Configuring Services
Configuring Services
1-18
78-13886-03
Chapter 1
Configuring Services
Configuring Services
Note
Caution
In WebNS 5.1 and earlier versions, if you configure more than 16 script
keepalives, the CSS automatically adjusts the keepalive frequency time to a value
that best fits the resource usage. Note that this adjustment also affects the
keepalive retry period value (see Configuring Keepalive Retryperiod later in
this chapter) by adjusting that value to a number that is one-half the adjusted
frequency time. If this occurs, you may observe in the output of the show service
command that your previously set keepalive frequency and retry period times
change to a different value, as determined by the CSS.
1-19
Chapter 1
Configuring Services
Configuring Services
method get - The CSS issues an HTTP GET method to the service, computes
a hash value on the page, and stores the hash value as a reference hash.
Subsequent GETs require a 200 OK status (HTTP command completed OK
response) and the hash value to equal the reference hash value. If the 200 OK
status is not returned, or if the 200 OK status is returned but the hash value is
different from the reference hash value, the CSS considers the service down.
When you specify the content information of an HTTP Uniform Resource
Identifier (URI) for an HTTP keepalive, the CSS calculates a hash value for
the content. If the content information changes, the hash value no longer
matches the original hash value and the CSS assumes that the service is down.
To prevent the CSS from assuming that a service is down due to a hash value
mismatch, specify the keepalive method as head.
method head (default) - The CSS issues an HTTP HEAD method to the
service and a 200 OK status is required. The CSS does not compute a
reference hash value for this type of keepalive. If the 200 OK status is not
returned, the CSS considers the service down.
Note
If you do not configure a keepalive port, the TCP keepalive uses the service port
configured with the (config-service) port command. If you do not configure
either port, the TCP keepalive uses port 80.
1-20
78-13886-03
Chapter 1
Configuring Services
Configuring Services
For example, to specify port 8080 as the keepalive port for service serv1, enter:
(config-service[serv1])# keepalive port 8080
1-21
Chapter 1
Configuring Services
Configuring Services
keepalive type icmp - An ICMP echo message (ping). This is the default
keepalive type.
Note
1-22
78-13886-03
Chapter 1
Configuring Services
Configuring Services
keepalive type ssl - SSL HELLO keepalives for this service. Use this
keepalive for all backend services supporting SSL. The CSS sends a client
HELLO to connect the SSL server. After the CSS receives a HELLO from the
server, the CSS closes the connection with a TCP RST.
When the 11500 series CSS is using an SSL module, use the keepalive type
of none. The SSL module is an integrated device in the CSS and does not
require the use of keepalive messages for the service.
keepalive type tcp - A TCP session that determines service viability (3-way
handshake and reset (RST)). By default and in compliance with RFC 1122,
the CSS sends a RST to close the socket on a server port for TCP keepalives.
A RST is faster than a FIN, because a RST requires only one packet, while a
FIN can take up to four packets. If your servers require a graceful closing of
a socket using a FIN, you can use a script keepalive. For an example TCP
script keepalive that sends a FIN to close a socket, refer to the Cisco Content
Services Switch Advanced Configuration Guide, Chapter 11, Using the CSS
Scripting Language, in the Script Keepalive Examples section.
When you specify the content information of a URI for an HTTP keepalive, the
CSS calculates a hash value for the content. If the content information changes,
the hash value no longer matches the original hash value and the CSS assumes that
the service is down. To prevent the CSS from assuming that a service is down due
to a hash value mismatch, define keepalive method as head. The CSS does not
compute a hash value for this type of keepalive.
Cisco Content Services Switch Basic Configuration Guide
78-13886-03
1-23
Chapter 1
Configuring Services
Configuring Services
If you specify a Web page with changeable content and do not specify the head
keepalive method, you must suspend and reactivate the service each time the
content changes.
2.
Display the hash value using the show keepalive command. For example,
enter:
(config-service[serv1])# show keepalive
Keepalives:
Name: serv1
Index: 0
State: ALIVE
Description: Auto generated for service serv1
Address: 10.0.3.21 Port: 80
Type:
HTTP:GET:/testpage.html
Hash:
1024b91e516637aaf9ffca21b4b05b8c
Frequency:
5
Max Failures:
3
Retry Frequency: 5
Dependent Services:
3.
Use the hash value from the keepalive display to configure the keepalive
hash. Enter the MD5 hash as a quoted hexadecimal string with a maximum of
32 characters. For example, enter:
1-24
78-13886-03
Chapter 1
Configuring Services
Configuring Services
To clear a hash value and return to the default hash value, enter:
(config-service[serv1])# no keepalive hash
Activating a Service
Once you configure a service, you must activate it to enable the CSS to access it
for content requests. Activating a service puts it into the resource pool for
load-balancing content requests and starts the keepalive function.
Note
Once a service is activated the following commands cannot be changed for the
active service: ip address, port, protocol, type, transparent-hosttag, and
bypass-hosttag. If you need to make modifications to an active service, you must
first suspend it.
The following command activates service serv1:
(config-service[serv1])# active
1-25
Chapter 1
Configuring Services
Configuring Services
Note
For the Cisco 11500 series CSS, the CSS supports one active SSL service for each
SSL Acceleration Module in the chassis (one SSL service per slot). You can
configure more than one SSL service for a slot but only a single SSL service can
be active at a time. Before you can activate the service, you must add an SSL
proxy list to an ssl-accel type service and then activate the SSL proxy list.
Suspending a Service
Suspending a service removes it from the pool for future load-balancing content
requests. Suspending a service does not affect existing content flows, but it
prevents additional connections from accessing the service for its content. You
may want to suspend a service prior to performing maintenance on the service.
The following command suspends service serv1:
(config-service[serv1])# suspend
Note
When you suspend a service, the CSS rebalances the remaining services using the
failover setting.
Removing a Service
When you remove a service, the CSS:
Note
Removes the service from all content rules to which the service has been
added.
Rebalances the remaining services. The CSS does not apply the failover
setting.
You cannot retrieve service information once you issue the remove service
command.
1-26
78-13886-03
Chapter 1
Configuring Services
Showing Service Configurations
To remove service server1 from owner arrowpoint content rule rule1, enter:
(config-owner-content[arrowpoint-rule1])# remove service server1
1-27
Chapter 1
Configuring Services
From a specific service mode, the show service command displays configuration
information only for that service. When you issue this command from any other
mode, it displays configuration information for all services.
For example, enter:
(config)# show service
Name: s1
Index: 10
Type: Local
State: Alive
Rule: (192.168.101.15 ANY ANY )
Session Redundancy: Disabled
Redirect Domain:
Redirect String:
Keepalive: (ICMP
5
3
5 )
Last Clearing of Stats Counters 03/15/2002 13:45:01
Mtu:
1500
State Transitions:
0
Total Local Connections: 0
Total Backup Connections: 0
Total Connections:
0
Max Connections:
0
Total Reused Conns: 0
Weight:
1
Load:
2
DFP:
Disable
State
Transitions
1
5
3
1
To display information for a specific service, use the show service command with
the service name. For example, enter:
# show service serv86
If you are in service mode, to display the configuration information for the current
service, enter:
(config-service[serv86])# show service
1-28
78-13886-03
Chapter 1
Configuring Services
Showing Service Configurations
Field
Description
Name
Index
Type
The type for the service. If you do not define a type for the
service, the default service type is local. The possible types are:
1-29
Chapter 1
Configuring Services
Table 1-2
Field
Description
State
The state of the service. The State field displays the service as
either Alive, Dying, Down, or Suspended. The Dying state
reports that a service is failing according to the parameters
configured in the following service mode commands: keepalive
retryperiod, keepalive frequency, and keepalive maxfailure.
When a service enters the Down state, the CSS does not forward
any new connections to it (the service is removed from the load
balancing rotation for the content rule). However, the CSS keeps
all existing connections to the service (connections to that
service are not torn down).
Rule
Redirect
Domain
Session
Redundancy
SSL-Accel
Slot
The slot in the CSS chassis where the SSL module is located. An
SSL service requires the SSL module slot number to correlate the
SSL proxy list to a specific SSL module. For details on SSL, refer
to the Cisco Content Services Switch Advanced Configuration
Guide.
Session
Cache Size
The size of the SSL session ID cache for the service. The cache
size is the maximum number of SSL session IDs that can be
stored in a dedicated session cache on an SSL module.
Redundancy
Global Index
Redirect
String
1-30
78-13886-03
Chapter 1
Configuring Services
Showing Service Configurations
Table 1-2
Field
Description
Keepalive
1-31
Chapter 1
Configuring Services
Table 1-2
Field
Description
Mtu
State
Transitions
Total Local
Connections
Current
Backup
Connections
Total
Connections
Max
Connections
1-32
78-13886-03
Chapter 1
Configuring Services
Showing Service Configurations
Table 1-2
Field
Description
Total Reused
Conns.
Weight
1-33
Chapter 1
Configuring Services
zero service state-transitions - Set the State Transitions counter to zero for
all services
For example, to clear the Total Connections counter for all services, enter:
(config)# zero service total-connections
Note
If you use the zero command in content mode, this command clears the service
statistics for all services that have been added to a specified content rule, not for
all content rules.
When you are in content mode, you can also use the zero command to clear the
statistics counter for a specified service associated with the content rule. For
details on clearing service statistics associated with a content rule, refer to
Chapter 3, Configuring Content Rules.
1-34
78-13886-03
Chapter 1
Configuring Services
Configuring Load for Services
Note
Redirect services have load numbers associated with them, but the load numbers
are either 2 (available) or 255 (unavailable).
Figure 1-2 shows servers A, B, and C with response times of 100 ms, 1100 ms,
and 120 ms, respectively. One group of servers has load step configured to 10 ms.
The second group of servers has load step configured to 100 ms.
1-35
Chapter 1
Configuring Services
Figure 1-2
Server Name
serverA
serverB
serverC
Servers with
10 ms load step
Calculated
load number
serverB
Calculated
load number
255
255
254
254
130
130
serverC
serverB
12
serverA
49386
102
For the servers set to the 10 ms load step, the difference in response time between:
ServerA and serverB is 1000 ms. Because this value is greater than the
configured load step of 10 ms, the CSS considers the server loads different.
ServerA and serverC is 20 ms. Because this value is greater than the
configured load step of 10 ms, the CSS considers the server loads different.
For the servers set to 100 ms load step, the difference in response time between:
ServerA and serverB is 1000 ms. Because this value is greater than the
configured load step of 100 ms, the CSS considers the server loads different.
ServerA and serverC is 20 ms. Because this value is less than the configured
load step of 100 ms, the CSS considers servers A and C to have the same load.
1-36
78-13886-03
Chapter 1
Configuring Services
Configuring Load for Services
Increasing the load step causes the load for servers to be closer to each other.
Decreasing the load step causes the load for servers to be further from each other.
To enable you to configure an accurate load threshold for a server, you can
calculate a load number for a server. To calculate a server load number:
1.
Take the difference between the server with the lowest response time and the
server for which you want to determine a load number.
2.
3.
Add this number to the calculated load step of the server with the lowest
response time, which is always 2.
For example, to calculate the load number for serverC with the 10 ms load step:
1.
Take the difference in server response time between serverA and serverC
(20 ms).
2.
Divide it by the configured load step (10 ms). The result equals 2.
3.
Add 2 to serverAs (server with lowest response time) calculated load (2) to
determine serverCs calculated load of 4.
Server load
1-37
Chapter 1
Configuring Services
1-38
78-13886-03
Chapter 1
Configuring Services
Configuring Load for Services
Increasing the load step causes the load for services to be closer to each other,
thus increasing the number of flows to a slower service.
Decreasing the load step causes the load for services to be further from each
other, decreasing the flows to a slower service.
The options and syntax for this global configuration mode command are:
load step msec dynamic (default) - Set the initial load step. The CSS uses the
default of 10 ms as the initial load step, modifying it after the CSS collects
sufficient response time information.
load step msec static - Set a constant load step. The CSS uses this load step
value instead of making dynamic calculations.
Enter the load step in milliseconds from 10 to 1000000000. The default is 10 ms.
For example, to set the load step to 100 ms, enter:
(config)# load step 100
1-39
Chapter 1
Configuring Services
Note
If you do not configure a load threshold for the content rule with the
(config-owner-content) load-threshold command, the rule inherits this global
load threshold.
To set the load threshold to the default of 254, enter:
(config)# no load threshold
1-40
78-13886-03
Chapter 1
Configuring Services
Configuring Load for Services
Note
1-41
Chapter 1
Configuring Services
Field
Description
Global load
information
Step Size
Configured
Actual
Threshold
1-42
78-13886-03
Chapter 1
Configuring Services
Configuring Keepalives in Global Keepalive Mode
Table 1-3
Field
Description
Ageout-Timer
Teardown-timer
Configured
Actual
Service Name
1-43
Chapter 1
Configuring Services
Each of the following keepalive types can have a maximum of 256 keepalives:
HTTP-GET, FTP, and script. However, the total number of these keepalives
cannot exceed 512. Of the 256 script keepalives, you can configure a maximum
of 16 keepalives to use script output. For details, see Using Script Keepalives
With Services later in this chapter.
These keepalives include:
Caution
ICMP, HTTP, TCP, FTP, SSL, and script keepalives configured and assigned
to a service through the (config-keepalive) type command. Each time you
assign one of these keepalives to a service through this command, the CSS
counts it as one keepalive.
Do not configure more than 2048 total keepalives, including a maximum of 512
HTTP-GET, FTP, and script keepalives. Any services assigned to keepalives over
the supported maximum number will not be eligible for content rule selection.
To access keepalive configuration mode, use the keepalive command from
circuit, global, interface, and IP configuration modes. The prompt changes to
(config-keepalive [name]). You can also use this command from keepalive mode
to access another keepalive.
The following sections describe how to configure global keepalives:
1-44
78-13886-03
Chapter 1
Configuring Services
Configuring Keepalives in Global Keepalive Mode
(config-keepalive
[keepimages]).
(config-keepalive[keepimages])#
1-45
Chapter 1
Configuring Services
Note
Caution
In WebNS 5.1 and earlier versions, if you configure more than 16 script
keepalives the CSS automatically adjusts the keepalive frequency time to a value
that best fits the resource usage. Note that this adjustment also affects the
keepalive retry period value (see Configuring a Global Keepalive Retryperiod
later in this chapter) by adjusting that value to a number that is one-half the
adjusted frequency time. If this occurs, you may observe in the output of the show
service command that your previously set keepalive frequency and retry period
times change to a different value, as determined by the CSS.
For example, to set the frequency time to 10 seconds, enter:
(config-keepalive[keepimages])# frequency 10
1-46
78-13886-03
Chapter 1
Configuring Services
Configuring Keepalives in Global Keepalive Mode
method get - The CSS issues an HTTP GET method to the service, computes
a hash value on the page, and stores the hash value as a reference hash.
Subsequent GETs require a 200 OK status (HTTP command completed OK
response) and the hash value to equal the reference hash value. If the 200 OK
status is not returned, or if the 200 OK status is returned but the hash value is
different from the reference hash value, the CSS considers the service down.
When you specify the content information of an HTTP Uniform Resource
Identifier (URI) for an HTTP keepalive, the CSS calculates a hash value for
the content. If the content information changes, the hash value no longer
matches the original hash value and the CSS assumes that the service is down.
To prevent the CSS from assuming that a service is down due to a hash value
mismatch, specify the method as head.
1-47
Chapter 1
Configuring Services
method head (default) - The CSS issues an HTTP HEAD method to the
service and a 200 OK status is required. The CSS does not compute a
reference hash value for this type of keepalive. If the 200 OK status is not
returned, the CSS considers the service down.
For example, to specify port 8080 as the global keepalive port, enter:
(config-keepalive[keepimages])# port 8080
1-48
78-13886-03
Chapter 1
Configuring Services
Configuring Keepalives in Global Keepalive Mode
type ftp ftp_record - Keepalive type that accesses an FTP server by logging
into the server as defined in an FTP record file.
Note
1-49
Chapter 1
Configuring Services
type ssl - SSL HELLO keepalives for this service. Use this keepalive for all
backend services supporting SSL. The CSS sends a client HELLO to connect
the SSL server. After the CSS receives a HELLO from the server, the CSS
closes the connection with a TCP RST.
When the 11500 series CSS is using an SSL module, use the keepalive type
of none. The SSL module is an integrated device in the CSS and does not
require the use of keepalive messages for the service.
type tcp - A TCP session that determines service viability (3-way handshake
and a reset (RST)). By default and in compliance with RFC 1122, the CSS
sends a RST to close the socket on a server port for TCP keepalives. A RST
is faster than a FIN, because a RST requires only one packet, while a FIN can
take up to four packets. If your servers require a graceful closing of a socket
using a FIN, you can use a script keepalive. For an example TCP script
keepalive that sends a FIN to close a socket, refer to the Cisco Content
Services Switch Advanced Configuration Guide, Chapter 11, Using the CSS
Scripting Language, in the Script Keepalive Examples section.
For example, to set the global keepalive keepimages to type tcp, enter:
(config-keepalive[keepimages])# type tcp
1-50
78-13886-03
Chapter 1
Configuring Services
Configuring Keepalives in Global Keepalive Mode
For example, to specify the content information for the global keepalive, enter:
(config-keepalive[keepimages])# uri "/index.html"
1-51
Chapter 1
Configuring Services
2.
3.
Display the hash value using the show keepalive command. For example,
enter:
(config-keepalive[keepimages])# show keepalive
Keepalives:
Name: imageserver1
Index:
0
State:
ALIVE
Description:
Auto generated for service serv1
Address:
10.0.3.21
Port:80
Type:
HTTP GET:/testpage.html
Hash:
1024b91e516637aaf9ffca21b4b05b8c
Frequency:
5
Max Failures:
3
Retry Frequency: 5
Dependent Services:
4.
Use the hash value from the keepalive display to configure the keepalive
hash. Enter the MD5 hash value as a quoted hexadecimal string with a
maximum of 32 characters. For example, enter:
(config-keepalive[keepimages])# hash
"1024b91e516637aaf9ffca21b4b05b8c"
1-52
78-13886-03
Chapter 1
Configuring Services
Configuring Keepalives in Global Keepalive Mode
To clear a hash value and return to the default hash value, enter:
(config-keepalive[keepimages])# no hash
DOWN
ALIVE
192.25.1.7
192.25.1.8
1-53
Chapter 1
Configuring Services
Field
Description
Name
Index
State
The state of the keepalive. The possible states are down, alive,
dying, and suspended.
Description
Address
Port
Type
Frequency
Max Failures
Retry
Frequency
Dependent
Services
1-54
78-13886-03
Chapter 1
Configuring Services
Using Script Keepalives With Services
Currently, a CSS provides keepalives for FTP, HTTP, ICMP, SSL, and TCP. For
information on global keepalives, see Configuring Keepalives in Global
Keepalive Mode earlier in this chapter. For information on configuring keepalive
messages, see Configuring Keepalives for a Service earlier in this chapter.
Using script keepalives allow you to extend the CSS keepalive functionality
beyond the default keepalives. For example, you can develop a script specifically
to connect a CSS to a Post Office Protocol 3 (POP3) mail server.
Once you create a script offline, you can upload it to the CSS and configure the
script keepalive option on a service.
The CSS supports a maximum of 256 script keepalives. If you specify a script to
parse the output for each executed command, you can configure only
16 keepalives that use script output.
Note
You can also configure a script keepalive without having the corresponding script
present on the CSS. In this case, a constant Down state remains on the service
until you upload the appropriate script to the CSS. This allows you to develop and
implement a configuration before uploading all the scripts to the CSS.
1-55
Chapter 1
Configuring Services
Use the script naming convention of ap-kal-type, so that when you press tab or
?, you can easily see the keepalive scripts available for use. For example, an
SMTP script would be named ap-kal-smtp. The script name can have a maximum
of 32 characters. The arguments must be in a quoted text string with a maximum
of 128 characters.
For the configured script keepalive to find the corresponding script, the script
must reside in the /<current running version>/script directory. When you
configure a script keepalive, use only script names. (A CSS does not accept path
names.) If the script is present elsewhere on the CSS, the script keepalive assumes
it does not exist.
Note
1-56
78-13886-03
Chapter 1
Configuring Services
Using Script Keepalives With Services
For a large number of services that use script keepalives, use a smaller subset of
global keepalives to handle the work for them. For information on global
keepalives, see Configuring Keepalives in Global Keepalive Mode earlier in
this chapter.
Use the keepalive type script command to configure script keepalives. The
syntax for this service configuration mode command is:
keepalive type script script_name {arguments} {use-output}
The optional use-output keyword allows the script to parse the output for each
executed command. This optional keyword allows the use of grep and file
direction within a script. You can configure a maximum of 16 script keepalives
(out of a maximum of 255 script keepalives) to use script output. By default, the
script does not parse the output.
For example, to configure an httplist keepalive, enter:
(config-service[serv1)# keepalive type script ap-kal-httplist
10.10.102.105 /default.htm
In the previous command example, the keepalive command configures the serv1
service keepalive to be of type script with the script name ap-kal-httplist and the
arguments 10.10.102.105 /default.htm. The output is not parsed by the script.
To disable a script keepalive on a service, enter:
(config-service[serv1])# keepalive type none
1-57
Chapter 1
Configuring Services
Note
If a script keepalive terminates with an error, you can use the Script Error and
Script Run Time fields to help troubleshoot the problem.
You can also use the show running-config command to display the script
keepalive and its arguments.
For example, enter:
(config-service[serv1])# show running-config
service serv1
ip address 10.10.102.105
keepalive frequency 10
keepalive type script ap-kal-httplist 10.10.102.105
/default.htm
active
The example above shows the script keepalive and arguments that have been
configured on a service. If no arguments are specified in the script, then the
quoted text following the script name will not appear.
1-58
78-13886-03
Chapter 1
Configuring Services
Using Script Keepalives With Services
Because the above script fails when it executes the exit command, the script
returns a non-zero value. By default, the script will fail with a syntax error if the
connect command fails. Be sure to check the logic of your scripts to ensure that
the CSS returns the correct value.
Upgrade the WebNS software in your CSS. Refer to the Cisco Content
Services Switch Administration Guide.
2.
Copy the scripts from the old /<current running version>/script directory to
the new /<current running version>/script directory.
3.
1-59
Chapter 1
Configuring Services
DFP Overview
DFP Overview
The DFP manager (running on the CSS as a task and part of the load manager) is
responsible for establishing TCP connections with the DFP agents that reside on
each server. A DFP manager can communicate simultaneously with a maximum
of 127 DFP agents. DFP agents can be software running on the actual server itself
or may be separate hardware devices that collect and consolidate information
from one or more servers for load-balancing purposes. DFP agents are available
from a number of third-party sources.
1-60
78-13886-03
Chapter 1
Configuring Services
Configuring Dynamic Feedback Protocol for Server Load-Balancing
DFP agents collect relative weights from the load-balanced servers and
periodically send new or adjusted weights to the DFP manager in the form of load
vectors. The CSS load manager distributes the incoming connections or services
to the servers in the order of weight assigned to the load-balanced servers. The
load manager uses the reported weights to choose the best available server,
resulting in optimal performance of servers and less response time.
Note
If you configure a weight on a service using the add service weight command in
owner-content configuration mode, the configured weight takes precedence over
the service weight reported by the DFP agent for that content rule. In turn, the
DFP-reported weight take precedence over the weight configured on a service in
service configuration mode.
The CSS uses load-balancing algorithms such as roundrobin, weighted
roundrobin, Arrowpoint Content Aware (ACA), least connections, and so on to
distribute the incoming connections or service requests. Weighted roundrobin can
take advantage of the server weights reported by the DFP agents.
The weighted roundrobin load-balancing method uses weight to specify how
many consecutive connections to give to the highest-weighted server before
moving on to the next highest-weighted server. As a servers load changes, the
DFP agent recalculates the weight for each server and reports the updated weights
to the DFP manager, thereby influencing how the load manager distributes the
service requests. For more information on CSS server load-balancing, refer to
Chapter 3, Configuring Content Rules.
Is congested
Is under utilized
1-61
Chapter 1
Configuring Services
The server state message, sent from the DFP manager to the agent, informs
the agent that the load manager has decided to take the server in or out of
service.
The DFP parameters send configuration information from the DFP manager
to the agent. Currently the only configuration parameter passed is the
keepalive interval.
Load Vector - Contains the actual load information being reported for the
real servers and represents the servers' preferred capability.
If a CSS receives a message that contains a vector type that it does not understand,
The CSS discards the unknown vector.
1-62
78-13886-03
Chapter 1
Configuring Services
Configuring Dynamic Feedback Protocol for Server Load-Balancing
1-63
Chapter 1
Configuring Services
Figure 1-3
Origin Server 1
TCP connections
DFP Agent
DFP Manager
Service list
Origin Server 2
78408
Weight information
(grouped by port
number and protocol)
ip_or_host - The IP address or host name of the configured DFP agent. Enter
an IP address in dotted-decimal notation (for example, 192.168.11.1) or a
mnemonic host name (for example, myhost.mydomain.com).
port - Optional. The server TCP port that the configured DFP agent uses to
listen for connections from the CSS DFP manager. Valid entries are 0 to
65535. The default is 14001.
1-64
78-13886-03
Chapter 1
Configuring Services
Configuring Dynamic Feedback Protocol for Server Load-Balancing
encrypted_key - The DES key that the CSS previously encrypted. The CSS
does not re-encrypt this key and saves it in the running-config as you entered
it. Enter an unquoted case-sensitive text string with no spaces and a maximum
of 128 characters.
encrypt_key - The DES encryption key that you want the CSS to encrypt.
The CSS saves the encrypted key in the running-config as you entered it.
Enter a quoted case-sensitive text string with no spaces and a maximum of
64 characters.
retry count - Optional. The number of times the CSS DFP manager tries to
reopen a connection with the server DFP agent. The range is from 0 (for
continuous retries) to 65535. The default is 3 retry attempts.
delay time - Optional. The delay time, in seconds, between each connection
reestablishment attempt. Valid entries are 1 (immediately) to 65535 seconds
(18 hours). The default value is 5 seconds.
1-65
Chapter 1
Configuring Services
1-66
78-13886-03
Chapter 1
Configuring Services
Configuring Dynamic Feedback Protocol for Server Load-Balancing
For example, suppose that you configure on the same content rule three services
(serv1, serv2, and serv3) with weights of 1, 2, and 5, respectively. If the DFP
agent reports a weight of 20 for serv1, serv1 will now receive 20 connections for
every two connections on serv2 and five connections on serv3. This places a
disproportionate load on serv1, especially if serv2 and serv3 represent fast servers
with plenty of unused resources.
To solve this problem and to maintain the same weight range for all three services,
you can do either of the following:
Force the DFP agent to report a weight in the range of 1 to 10 for serv1
Have the DFP agent report weights for all three services to maintain the same
weight range
1-67
Chapter 1
Configuring Services
Table 1-5
Field
Description
IP Address
Port
State
The state of the DFP agent. Possible states are Active, Dead, or
Connecting.
KAL
MD5 Key
ip_or_host - The IP address or host name of the configured DFP agent. Enter
an IP address in dotted-decimal notation (for example, 192.168.11.1) or a
mnemonic host name (for example, myhost.mydomain.com).
port number - Optional. The port number for the load-balanced server or
service. Valid entries are 0 to 65535. The default is 14001.
protocol text - Optional. The type of protocol for the load-balanced server or
service. Possible values are TCP, UDP, HTTP, or FTP.
1-68
78-13886-03
Chapter 1
Configuring Services
Configuring Dynamic Feedback Protocol for Server Load-Balancing
The following example shows the weight reported by a DFP agent configured at
192.168.1.2, for server 192.168.1.3. Weights are first grouped by port number of
reported servers, and then by protocol.
# show dfp-reports 192.168.1.2 port 80 protocol tcp ip 192.168.1.3
Field
Description
Service
The name of the configured service for which the DFP agent is
reporting
Weight
The last weight reported by the DFP agent for the service
Time-Stamp
# of Reports
1-69
Chapter 1
Configuring Services
R, the weight configured for a service using the add service weight command
in owner-content mode
S, the weight configured for a service using the weight command in service
mode
For details on the show rule services command, refer to Chapter 3, Configuring
Content Rules.
Where to Go Next
For information on creating and configuring owners, refer to Chapter 2,
Configuring Owners.
1-70
78-13886-03
C H A P T E R
Configuring Owners
This chapter describes how to create and configure owners. Information in this
chapter applies to all CSS models except where noted.
This chapter contains the following sections:
Creating an Owner
Specifying Case
Removing an Owner
2-1
Chapter 2
Configuring Owners
2.
Create an owner.
(config)# owner arrowpoint
(config-owner[arrowpoint])#
3.
4.
5.
6.
Creating an Owner
An owner is generally the person or company who contracts the web hosting
service to host their web content and allocate bandwidth as required. Use the
owner command to create an owner for a content rule. When you create an owner,
you enable the CSS to identify the entity (for example, person, company name, or
other meaningful title) that owns content rules. The CSS can contain many owners
and maintain a configurable profile for each owner.
2-2
78-13886-03
Chapter 2
Configuring Owners
Configuring an Owner DNS Balance Type
When creating an owner, you may want to use the owners DNS name. Enter the
owner name as an unquoted text string from 1 to 31 characters in length. The
following example creates the owner arrowpoint:
(config)# owner arrowpoint
Once you create an owner, the CLI enters into owner mode.
(config-owner[arrowpoint])#
To remove an owner, use the no owner command. When you remove an owner,
you also remove all content rules created for the owner. For example, enter:
(config-owner[arrowpoint])# no owner arrowpoint
2-3
Chapter 2
Configuring Owners
To reset the DNS load balancing method to its default setting of roundrobin,
enter:
(config-owner[arrowpoint])# no dnsbalance
Specifying Case
To define whether or not the CSS employs case-sensitivity when matching content
requests to an owners content rule, use the case command. The default is case
insensitive.
2-4
78-13886-03
Chapter 2
Configuring Owners
Specifying Owner DNS Type
dns accept - Accept all content rules proposed by the CSS peer
dns push - Push (send) all content rules onto the CSS peer
dns both - Accept all content rules proposed by the CSS peer and push all
rules onto the CSS peer
2-5
Chapter 2
Configuring Owners
Removing an Owner
To remove an owner, use the no owner command from config mode. To remove
an owner, you must first exit from the owner mode. You cannot be in the owner
mode that you wish to remove.
For example, to remove an owner, enter:
(config)# no owner arrowpoint
Caution
Removing an owner also deletes the content rules associated with it.
2-6
78-13886-03
Chapter 2
Configuring Owners
Showing Owner Information
For example, to display configuration information for a specific owner from the
ACL, Circuit, Global, Group, Interface, Service, SuperUser, or User modes, enter:
# show owner test.com
Table 2-2 describes the fields in the show owner name output.
Table 2-2
Field
Description
Name
Billing Info
Address
The postal address for the owner of the Web hosting service.
Email Address
DNS Policy
The peer DNS exchange policy for the owner. The possible
policies are:
Case Matching
2-7
Chapter 2
Configuring Owners
To display statistics for an owner from the ACL, Circuit, Global, Group, Interface,
Service, SuperUser, or User modes, enter:
# show owner test.com statistics
To display statistics for the owner from either Owner or Content mode, enter:
(config-owner[test.com])# show owner statistics
Table 2-3 describes the fields in the show owner name statistics output.
Table 2-3
Field
Description
DNS Policy
The peer DNS exchange policy for the owner. The possible
policies are:
Hits
Bytes
Frames
Redirects
2-8
78-13886-03
Chapter 2
Configuring Owners
Showing Owner Information
Table 2-3
Field
Description
Spoofs
Case Matching
Drops
Not used.
NAT
Translations
Not used.
Owners
Content rules
Services
Service hits
You can issue the following show summary commands from any mode:
2-9
Chapter 2
Configuring Owners
Field
Description
URL Params
Bypass Count
Cache Miss
Bypass Count
Garbage Bypass The number of times that the CSS examined content
Count
requests and deemed them unrecognizable or corrupt. As
a result, the CSS forwards the content request to the
origin server rather than the cache server.
Owner
Content Rules
State
Services
Service Hits
Where to Go Next
Once you create and configure an owner, refer to Chapter 3, Configuring Content
Rules, for information on configuring content rules. Content rules instruct the
CSS on how to handle requests for the owners content. You create and configure
a content rule within a specific owner mode. This method ensures that the
configured content rule applies only to a specific owner.
2-10
78-13886-03
C H A P T E R
Configuring a Protocol
Configuring a Port
Configuring Hotlists
78-13886-03
3-1
Chapter 3
Defining Failover
Showing Content
An owner is generally the person or company who contracts the web hosting
service to host their web content and allocate bandwidth as required. To
configure owners, refer to Chapter 2, Configuring Owners.
3-2
78-13886-03
Chapter 3
Uses the owner content rule to translate the owner Virtual IP address (VIP) or
domain name using Network Address Translation (NAT) to the corresponding
service IP address and port.
2.
3.
Uses content rules to choose which service can best process the request for
content.
4.
Applies all content rules to service the request for content (for example,
load-balancing method, redirects, failover, stickiness).
The type of rule also implies the Layer at which the rule functions.
Note
3-3
Chapter 3
Content rules are hierarchical. That is, if a request for content matches more than
one rule, the characteristics of the most specific rule apply to the flow. The CSS
uses this order of precedence to process requests for the content, with 1 being the
highest match and 9 being the lowest match. The hierarchy for content rules is as
follows:
1.
2.
3.
4.
IP address, protocol
5.
IP address
6.
7.
8.
Protocol, port
9.
Protocol
Note
The CSS evaluates the content rule hierachary before it evaluates the Layer 5 rule
URL, cookie strings, or HTTP header information.
Note
3-4
78-13886-03
Chapter 3
Figure 3-1 illustrates the CSS service, owner, and content rule concepts.
Services, Owners, and Content Rules Concepts
Clients request
content from
www.arrowpoint.com
Clients request
content from
www.dogsRus.com
CSS NATs
www.arrowpoint.com
to VIP 192.1.1.43
CSS NATs
www.dogsRus.com
to VIP 172.1.1.89
Owner: arrowpoint
content rule: arrowrule1
Owner: frednmandi
content rule: fredrules
- VIP 192.1.1.43
- service Serv1
- protocol tcp
- port 80
- round-robin
- activate rule
- VIP 172.1.1.89
- service Serv2
- protocol tcp
- port 8080
- activate rule
Serv1
Serv2
Serv1 contains
content for
arrowpoint.com
Serv1 contains
content for
dogsRus.com
- IP address 10.0.0.8
- keepalive type ICMP
- protocol tcp
- port 8080
- activate service
- IP address 10.0.0.9
- keepalive type ICMP
- protocol tcp
- port 8080
- activate service
67865
Figure 3-1
3-5
Chapter 3
2.
Enter into the owner mode for which you wish to create content rules.
(config)# owner arrowpoint
3.
4.
Configure a Virtual IP address (VIP) or domain name for the owner content.
This example configures a VIP, which implies a Layer 3 content rule.
(config-owner-content[arrowpoint-rule1]# vip address 192.168.3.6
If you require a Layer 4 content rule, specify a protocol in the content rule
and a specific TCP/UDP port number (in addition to the VIP address or
domain name).
(config-owner-content[arrowpoint-rule1]# protocol tcp
(config-owner-content[arrowpoint-rule1]# port 80
If you require a Layer 5 content rule, specify a URL in the content rule (in
addition to the protocol and port number).
(config-owner-content[arrowpoint-rule1]# url
//www.arrowpoint.com/*
3-6
78-13886-03
Chapter 3
Table 3-1
6.
7.
8.
Once you assign a content rule to an owner, the CLI prompt changes to reflect the
specific owner and content rule mode.
(config-owner-content[arrowpoint-rule1])#
Within owner and content mode, you can configure how the CSS will handle
requests for the content. To remove an existing content rule from an owner, use
the no content command from owner mode. For example, enter:
(config-owner[arrowpoint])# no content rule1
3-7
Chapter 3
The CSS supports Adaptive Session Redundancy (ASR) on 11500 series CSS
peers in an active-backup VIP redundancy and virtual IP interface redundancy
environment to provide stateful failover of existing flows. For details on ASR,
refer to the Cisco Content Services Switch Advanced Configuration Guide,
Chapter 6, Configuring VIP and Virtual IP Interface Redundancy.
A Virtual IP address (VIP) is an address that an Internet Domain Name System
(DNS) provides when asked to resolve a domain name. For example, a DNS server
may translate www.arrowpoint.com to the VIP 192.217.4.15. Internet Service
Providers (ISPs) generally assign VIPs. ISPs request VIPs from the Internet
Assigned Name Authority (IANA).
Assigning a VIP to owner content enables the CSS to translate (using Network
Address Translation (NAT)) the VIP to the IP address of the service where the
content resides.
Note
The CSS allows you to configure a domain name instead of a VIP. See the next
section for information on configuring a domain name. You may configure either
a VIP, a domain name, or both in a content rule.
To enable the CSS to translate an owners Internet IP address to the IP address of
the service where the content resides, configure a VIP to the owner content. By
translating a VIP to the service IP address, the CSS enhances network security
because it prevents users from accessing your private network IP addresses.
Caution
Ensure that all VIPs are unique IP addresses. Do not configure a VIP to the same
address as an existing IP address on your network or a static ARP entry.
Note
When you configure a rule without a VIP (wildcard VIP rule), the rule matches
on any VIP that matches the other configured rule attributes (for example, port
and protocol). When you configure a rule without a VIP and without a port
(double-wildcard caching rule), the rule matches on any VIP or port that matches
the other configured rule attributes (for example, protocol). If you have a
3-8
78-13886-03
Chapter 3
configuration that requires either type of rule, be aware that the client request will
match on this rule when the client request attempts to connect directly to a server
IP address. For more information on double-wildcard caching rules, refer to
Chapter 7, Configuring Caching.
The variables and options for the vip address command include:
Note
ip_address or host - The IP address or name for the content rule. Enter the
address in either dotted-decimal IP notation (for example, 192.168.11.1) or
mnemonic host-name format (for example, myhost.mydomain.com).
range number - The range option and variable allows you to specify a range
of IP addresses starting with the VIP address. Enter a number from 1 to
65535. The default range is 1. The ip_or_host variable is the first address in
the range. For example, if you enter a VIP of 172.16.3.6 with a range of 10,
the VIP addresses will range from 172.16.3.6 to 172.16.3.15.
When you use an FTP content rule with a configured VIP address range, be sure
to configure the corresponding source group with the same VIP address range
(refer to Chapter 5, Configuring Source Groups, ACLs, EQLs, URQLs, NQLs,
and DQLs).
To configure a Virtual IP address (VIP), issue the vip address command and
specify either an IP address or a host name. For example, enter:
(config-owner-content[arrowpoint-rule1])# vip address 192.168.3.6
Note
When you ping a VIP, the CSS responds only if there is at least one live service,
live sorry server, or redirect string configured for the VIP, or if the service is
associated with a source group. If the services or sorry servers are down and you
have not defined a redirect string for the VIP, the CSS does not respond to the
ping.
To configure a Virtual IP address (VIP) with a range of 10, use the vip address
command with the range option. For example, enter:
(config-owner-content[arrowpoint-rule1])# vip address 192.168.3.6
range 10
3-9
Chapter 3
When using the vip address range command, use IP addresses that are within the
subnet you are using. The CSS does not ARP for IP addresses that are not on the
circuit subnet. For example, if you configure the circuit for 10.10.10.1/24 and
configure the VIP range as 10.10.10.2 range 400, the CSS will not ARP for any
IP addresses beyond 10.10.10.254. Using the same example with a VIP range of
200, the CSS will ARP for all IP addresses in the range.
To remove a VIP from a content rule, enter:
(config-owner-content[arrowpoint-rule1])# no vip address
Ethernet-2
CSS
VLAN2
158.3.7.58
Router1
158.3.7.2
Serv2
10.3.6.2
Ethernet-3
Serv1
10.3.6.1
Owner - arrowpoint
Content - rule1
VIP 158.37.6.0
Client PC
requesting
content from
arrowpoint
(VIP 158.37.6.0)
49387
Ethernet-4
VLAN1
10.3.6.58
3-10
78-13886-03
Chapter 3
Note
Domain names in content rules are case insensitive, regardless of the case
command setting.
To configure a domain name in a content rule, use the url command and place two
slash characters (//) at the front of the quoted url_name or url_path.
For example, enter:
(config-owner-content[arrowpoint-rule1])# url
//www.arrowpoint.com/*
Normally, port 80 traffic does not use a port number in the domain name. To
specify a port other than port 80, enter the domain name with the port number
exactly. Separate the domain name and the port number with a colon. For
example, enter:
(config-owner-content[arrowpoint-rule1])# url
//www.arrowpoint.com:8080/*
Use domain name rules rather than VIP rules when you have several transparent
caches and you want certain domains to use the most powerful cache server. You
want all other domains load balanced among the remaining cache servers. For this
configuration, set up a domain name rule for the specific domains you want
directed to the powerful cache server. Then configure a wildcard VIP rule (specify
port 80 and no VIP) to balance all other HTTP traffic among the remaining
caches.
You may use a single VIP in front of a server that is hosting many domain names.
Over time, some of the domain names may receive more traffic and could benefit
from having their content on a separate server. To segregate the traffic, configure
the domain names you want directed to specific services. You do not need to
configure additional VIPs for the domain names because the CSS will use the
domain names as the matching criteria in the content rules.
3-11
Chapter 3
The domain names you could add as part of the DQL include www.wood.com,
www.woodworker.com, www.maple.com, www.oak.com. You could configure
www.wood.com and www.woodworker.com to have the same mapping index. You
can enter indexes from 1 to 1000 and provide an optional quoted description for
each index.
For example, enter:
(config-dql[Woodworker]# domain www.wood.com index 1 This is the
same as the woodworker domain
(config-dql[Woodworker]# domain www.woodworker.com index 1
(config-dql[Woodworker]# domain www.maple.com index 2
(config-dql[Woodworker]# domain www.oak.com index 3
If you specify a DQL as a matching criteria for content rule WoodSites, and there
are two services, S1 and S2, associated with the rule, the CSS checks the services
at mapping time for ranges. To add a DQL to a content rule, use the url command
as shown:
(config-owner-content[WoodSites])# url /* dql Woodworker
3-12
78-13886-03
Chapter 3
For example, if the CSS receives a request for www.oak.com along with other
criteria, a match on the WoodSites rule occurs on DQL index 3. If the rule has the
roundrobin load balancing method, the CSS examines a service (S2 for this
example) to determine the backend connection mapping parameters. If you
configured S2 with a VIP address of 10.0.0.1 with a range of 5, the addresses
include 10.0.0.1 through 10.0.0.5. Because this service has a range of addresses
and 0 (any) as its port, the DQL index of 3 matches the service VIP range index
of 3, which is address 10.0.0.3.
To delete a DQL, use the no dql command. For example, enter:
(config)# no dql Woodworker
Note
3-13
Chapter 3
port 80
url //www.domain.com/*
add service Serv1
activate
If your network topology does not require that the CSS ARP-reply for VIPs, you
do not need to configure separate content rules for the domain name and VIP. In
this situation, a domain name content rule without a VIP is sufficient because it
will match on all content requests going to the domain regardless of the VIP.
An example of a topology where ARP-replying is not required is when an
upstream router has the CSS statically configured as the next hop router for the
VIPs. A domain name content rule is as follows:
content domainRule3
protocol tcp
port 80
url //www.domain.com/*
add service Serv1
active
Note
You cannot use wildcards with either a Domain Qualifier List (DQL) or a
Uniform Resource Locator Qualifier List (URQL).
For example, the following content rule criteria have the highest precedence
because, as a set, they provide the greatest specificity in matching content:
Domain name, IP address, protocol, port, URL
If you want to create a content rule using all these criteria, such as the
configuration shown below, then the content rule matches only on the JPEG files
that are found in the domain whose name starts with arr, as well as the other
criteria, including VIP address, protocol, and port number.
(config-owner-content[arrowpoint-rule1])# vip address 192.168.3.6
3-14
78-13886-03
Chapter 3
When the CSS encounters a content rule with a wildcard domain name and
matches according to the content rule hierarchy, it stops the search at that point.
This behavior is consistent with the way that the CSS manages content rules in
general.
For example, if the content request matches on the rule with VIP address
192.168.3.6 and URL /*, the CSS does not continue the search to match on a
second rule with a wildcard VIP address (no address specified) and a URL of
/*.jpg. The specific address match makes the first rule more specific than the
second rule.
To further clarify, if the match occurs on a rule with //arrowpoint*.com/*, the
search stops at that point and does not continue to match on a rule with
//arr*.com/*.gif, because the first rule is a more specific match. Also note that a
fully-specified domain name rule (arrowpoint.com) is more specific than a
wildcard domain name rule (arr*.com).
For example, to have the content rule match on all instances of the text string
arr in the domain name portion of the content rule, enter:
(config-owner-content[arrowpoint-rule1])# url //www.arr*.com/*
www.arr*.com
arr*.com
*.arr*.com
arr*.home.com
Notice that the wildcard character either appears by itself as a domain word, or
appears to the right of any characters that start a domain word. However, a
wildcard character cannot start a domain name word.
3-15
Chapter 3
Note
*point.com
*.*point.com
*point.home.com
You cannot use wildcards on the rightmost portion (for example, .com, .org, .gov)
of the domain name. For this reason, the wildcard domain name syntax f* is not
supported. You can use wildcards in any other words that make up the domain
name.
Note
You can only add local services to a content rule that contains either a Domain
Qualifier List (DQL) or a service port range.
The add service command enables you to add the following types of services to
a content rule:
Service
When you configure a Layer 3 or 4 content rule, the rule hits the local services. If:
The local services are not active or configured, the rule hits the primary sorry
server.
The primary sorry server fails, the rule hits the secondary sorry server.
3-16
78-13886-03
Chapter 3
Redirect services and redirect content strings cannot be used with Layer 3 or 4
rules because they use the HTTP protocol.
When you configure a Layer 5 content rule, the CSS directs content requests to
local services. If:
The local services are not active or configured, the rule sends the HTTP
redirects with the location of the redirect services to the clients.
The local and redirect services are not active or configured, the rule forwards
the HTTP requests to the primary sorry server.
All services are down except the secondary sorry server, the rule forwards the
HTTP requests to the secondary sorry server.
Note
3-17
Chapter 3
Note
When you add a service to content rules, the service weight as configured in
service mode is applied to each rule as a server-specific attribute. Use the add
service weight command to define a content rule-specific server weight. This
command overrides the server-specific weight and applies only to the content rule
to which you add the service. For information on the setting a weight on a service,
refer to Chapter 1, Configuring Services, Configuring Weight.
Note
3-18
78-13886-03
Chapter 3
Enter the server name as a case-sensitive unquoted text string with no spaces.
Note
You can only add a primary sorry server to a rule if its range for the IP address or
port is equal to the range for the IP address or port of each service on the rule. For
example, if the rule has two services each with a range of three addresses, the
primary sorry server must have a range of three addresses.
For example, enter:
(config-owner-content[arrowpoint-rule1])# primarySorryServer
slowserver
Note
You can only add a secondary sorry server to a rule if its range for the IP address
or port is equal to the range for the IP address or port of each service on the rule.
For example, if the rule has two services each with a range of three addresses, the
secondary sorry server must have a range of three addresses.
For example, enter:
(config-owner-content[arrowpoint-rule1])# secondarySorryServer
slowestserver
3-19
Chapter 3
Note
add dns dns_name - The DNS name mapped to the content rule. Enter the
name as a case-sensitive unquoted text string with no spaces and a length of
1 to 31 characters.
add dns dns_name ttl_value - The DNS name mapped to the content rule with
the optional Time to Live (TTL) value in seconds. This value sets how long
the DNS client remembers the IP address response to the query. Enter a value
from 0 to 255. The default is 0.
When using the content add dns command, you must add DNS names in
lowercase only. If you enter DNS names with a combination of uppercase and
lowercase characters, a startup error appears and you must reenter the names in
lowercase characters.
For example, enter:
(config-owner-content[arrowpoint-rule1])# add dns arrowpoint 120
Note
To configure DNS server functionality on the CSS, use the (config) dns-server
command.
3-20
78-13886-03
Chapter 3
To enable DNS in the content rule, use the no dns-disable-local command. For
example, enter:
(config-owner-content[arrowpoint-rule1])# no dns-disable-local
Note
Once a content rule is activated the following commands cannot be changed for
the active content rule: port, protocol, balance, dnsbalance, header-field-rule,
and url. In addition, you cannot remove the last remaining service from the
content rule. If you need to make modifications to an active content rule, you must
first suspend it.
For example, enter:
(config-owner-content[arrowpoint-rule1])# active
3-21
Chapter 3
To suspend a content rule, use the suspend command in content mode. For
example, enter:
(config-owner-content[arrowpoint-rule1])# suspend
Configuring a Protocol
Specifying a protocol in a content rule enables the CSS to direct requests for
content associated with the content rule to use a specific protocol. You may
specify the following protocols for content:
any (default, meaning the rule will match on a TCP or UDP port)
tcp
udp
3-22
78-13886-03
Chapter 3
Configuring a Port
Specifying a port enables the CSS to associate a content rule with a specific
TCP/UDP port number. Specify a port number ranging from 0 to 65535. The
default is 0, which indicates any port.
To configure a port for content, enter:
(config-owner-content[arrowpoint-rule1])# port 80
balance domain - Domain name division algorithm. The CSS divides the
alphabet evenly across the number of caches. It parses the host tag for the first
four letters following the first dot and then uses these characters of the
domain name to determine to which server it should forward the request. This
option is typically used in a caching environment.
3-23
Chapter 3
Note
balance srcip - Source IP address division algorithm. The CSS directs all
client requests coming from the same source IP address to the same service.
This option is generally used in a caching configuration.
balance url - URL division algorithm. The CSS divides the alphabet evenly
across the number of caches. It then parses the URL for the first four
characters located after the portion of the URL matched on by the rule. For
example, if the URL in a content rule is configured for "/news/*", the CSS
will balance on the first four characters following "/news/". This option is
typically used in a caching environment.
balance urlhash - Internal CSS hash algorithm based on the URL string. The
CSS parses the URL and performs an XOR hash across the URL. It then uses
the XOR hash value to determine to which server to forward the request. This
method guarantees that all requests for the same URL will be sent to the same
server in order to increase the probability of a cache hit. This option is
typically used in a caching environment.
3-24
78-13886-03
Chapter 3
Note
A Layer 5 content rule supports the HTTP CONNECT, GET, HEAD, POST,
PUSH, and PUT methods. The CSS recognizes and forwards the following HTTP
methods directly to the destination server in a transparent caching environment.
Note that the CSS does not load balance these HTTP methods. RFC-2068:
OPTIONS, TRACE; RFC-2518: PROPFIND, PROPPATCH, MKCOL, MOVE,
LOCK, UNLOCK, COPY, DELETE.
In a transparent caching environment (for example, no VIP address on a Layer 5
content rule), the CSS bypasses these HTTP methods, and they are forwarded to
the destination server.
For example, to specify weightedrr load balancing, enter:
(config-owner-content[arrowpoint-rule1])# balance weightedrr
3-25
Chapter 3
Configuring Hotlists
To restore the DNS balance type to the default setting of using the owners
method, enter:
(config-owner-content[arrowpoint-rule1])# no dnsbalance
Configuring Hotlists
Use the hotlist command to define a hotlist that lists the content most requested
(hot content) during a user-defined period of time. The CSS enables you to
configure hotlist attributes for content rules. Defining hotlist attributes for a
content rule enables you to determine which content is heavily accessed. With this
information, you can accurately determine which content should be replicated.
Note
hotlist - Enable the hotlist. To enable a hotlist for a specific content rule, use
the hotlist command from the corresponding owner-content mode. For
example, enter:
(config-owner-content[arrowpoint-rule1])# hotlist
hotlist interval - Set the hotlist refresh interval. Enter the interval time in
minutes from 1 to 60. The default is 1. For example, enter:
3-26
78-13886-03
Chapter 3
hotlist size - Set the size of the hotlist. Enter the total number of entries
maintained for this rule from 1 to 100. The default is 10. For example, enter:
(config-owner-content[arrowpoint-rule1])# hotlist size 10
hotlist threshold - Set the hotlist threshold. Enter an integer from 0 to 65535
to specify the threshold above which a piece of content is considered hot. The
default is 0. For example, enter:
(config-owner-content[arrowpoint-rule1])# hotlist threshold 9
hotlist hitcount - Set the hotlist type to hit count, how may times the content
was accessed. For example, enter:
(config-owner-content[arrowpoint-rule1])# hotlist type hitcount
To display hotlist information, use the show domain hotlist command. Table 3-2
describes the fields in the show domain hotlist output.
Table 3-2
Field
Description
Hotlist
Enabled/Disabled
Size
3-27
Chapter 3
Configuring Hotlists
Table 3-2
Field
Description
Interval
Threshold
# Hot Domains
Hits
Domain
The name of the hot domain associated with the Hits field.
domain hotlist - Enable the domain hotlist. The domain hotlist is disabled by
default.
3-28
78-13886-03
Chapter 3
To display the domain hotlist and its configuration, use the show domain hotlist
command (see Table 3-2).
url /url_name - Specify the URL for the content as a quoted text string with
a maximum length of 252 characters.
url /{url_path}/* eql eql_name - Specify the URL for any content file that
has its file extension defined in the specified Extension Qualifier List (EQL).
url /{url_path}/* dql dql_name {eql_name} - Specify the URL for any
content file that has its domain name defined in the specified Domain
Qualifier List (DQL). You cannot use a DQL in conjunction with a domain
name in a URL. You may optionally include an EQL after the DQL name to
specify specific file extensions as part of the DQL matching criteria.
url_name - The URL for the content. Enter a quoted text string with a
maximum length of 252 characters. You must place a slash character (/) at the
beginning of the URL (for example, /announcements/prize.html).
To specify a domain name, place two slashes (//) at the beginning of the URl.
For example, //www.arrowpoint.com/* allows the rule to match on HTTP
traffic that contains the www.arrowpoint.com domain name in the HTTP host
tag.
3-29
Chapter 3
Normally, port 80 traffic does not use a port number in the domain name. To
specify a port other than port 80, enter the domain name with the port number
exactly. Separate the domain name and the port number with a colon. For
example, enter:
(config-owner-content[arrowpoint-rule1])# url
//www.arrowpoint.com:8080/*
To use stickiness based on Secure Socket Layer (SSL) session ID, set the
URL to /*. Also, set the port to 443 with the (config-owner-content) port
command and enable stickiness with the (config-owner-content)
advanced-balance ssl command. Then specify an SSL application type.
You can specify certain wildcard operations for wildcard matching. Use a *
character to specify a wildcard match. You can specify a maximum of eight
directories. Each directory name can be a maximum of 32 characters with a
total maximum of 252 characters in the URL. You can specify only one
wildcard per URL.
Examples of supported wildcards are:
url_path - An optional path to any content file that has its file extension
defined in the EQL. Enter a quoted text string. You must place:
A slash character (/) at the beginning of the quoted path
/* characters at the end of the quoted path
eql_name - The name of the EQL. To see a list of EQLs, use the eql ?
command.
urql_name - The name of the URQL. You can only assign one URQL per rule.
To see a list of URQLs, use the urql ? command.
3-30
78-13886-03
Chapter 3
Note
For caching environments, you can configure a domain content rule by placing
two slash characters (//) at the front of the url_name or url_path. The rule matches
HTTP traffic that contains the domain name in the HTTP host tag.
For example, to specify a URL that matches all requests for content in the
announcements directory with .html extensions, enter:
(config-owner-content[arrowpoint-products.html])# url
"/announcements/*.html"
To display a URL for a content rule, use the show rule command for the content
rule.
Note
Do not specify a file extension in the URL when you use an EQL in the URL or
the CSS will return an error message. For example, the CSS will return an error
message for the url /*.txt eql Cacheable command. The following command
is valid; url /* eql Cacheable.
3-31
Chapter 3
The following example enables the CSS to direct all requests to the correct service
for content that matches:
Pathnames (/customers/products)
3-32
78-13886-03
Chapter 3
Note
Provide a URL to send back to the requestor. You must add a URL to the
content rule for redirect to force the HTTP request. For example, url /*.
Enter the URL as a quoted text string with a maximum of 64 characters.
If you also set status code 404 (drop message) for content, code 302 takes priority.
Do not configure a service for a redirect-only content rule.
For example, enter:
(config-owner-content[arrowpoint-rule1])# redirect
"//www.arrowpoint.com/newlocation.html"
3-33
Chapter 3
3-34
78-13886-03
Chapter 3
To reset the CSS back to the default state of not sending a TCP RST frame, enter:
(config-owner-content[rule1])# no flow-reset-reject
Bypass persistence
HTTP Redirection
Service Remapping
Matches on the same content rule that specified the current service
Matches on a new content rule that contains the current service, even if a
different best service is specified by the content rule
This CSS behavior is known as content rule persistence. If you are using
transparent caches (which prefetch content) or mirrored-content servers, this
scheme works well because the same content is available on each service.
3-35
Chapter 3
To disable persistence:
(config-owner-content[arrowpoint-rule1])# no persistent
Note
3-36
78-13886-03
Chapter 3
The CSS uses remapping or redirection to reset the connection according to the
setting of the persistence reset method.
(config)# bypass persistence enable
The CSS does not use remapping or redirection to reset the connection and
continues to bypass a service.
3-37
Chapter 3
When the CSS receives a request for content that is not available on the current
service, it must reset the current connection to the service and establish a new
connection to another service (for example, a different proxy cache or the origin
server) that contains the requested content. You can accomplish this in either of
the following ways:
Note
Note
The CSS does not use remapping when selecting redirect type services. Refer to
Chapter 1, Configuring Services, Specifying a Service Type.
3-38
78-13886-03
Chapter 3
Note
Note
Note
3-39
Chapter 3
Field
Description
Bypass Persistence
3-40
78-13886-03
Chapter 3
Defining Failover
Note
The CSS supports Adaptive Session Redundancy (ASR) on 11500 series CSS
peers in an active-backup VIP redundancy and virtual IP interface redundancy
environment to provide stateful failover of existing flows. For details on ASR,
refer to the Cisco Content Services Switch Advanced Configuration Guide,
Chapter 6, Configuring VIP and Virtual IP Interface Redundancy.
To define how the CSS handles content requests when a service fails or is
suspended, use the failover command. For the CSS to use this setting, ensure that
you configure a keepalive for each service; that is, do not set the keepalive type
to none (the keepalive default is ICMP). The CSS uses the keepalive settings to
monitor the services to determine server health and availability.
The failover command applies to the following caching load balancing types:
Note
balance domain
balance url
balance srcip
balance destip
balance domainhash
balance urlhash
If you remove a service (using the remove service command), the CSS rebalances
the remaining services. The CSS does not use the failover setting.
3-41
Chapter 3
Defining Failover
failover bypass - Bypass all failed services and send the content request
directly to the origin server. This option is used in a proxy or transparent
cache environment when you want to bypass the failed cache and send the
content request directly to the server that contains the content.
failover linear (default) - Distribute the content request evenly between the
remaining services.
failover next - Send the content requests to the cache service next to the
failed service. The CSS selects the service to redirect content requests to by
referring to the order in which you configured the services.
Figure 3-3 shows three cache services configured for failover next. If ServerB
fails, the CSS sends ServerB content requests to ServerC, which was configured
after ServerB in the content rule.
ServerA
33%
ServerB
33%
ServerC
33% + 33%
CSS
67866
Figure 3-3
3-42
78-13886-03
Chapter 3
As shown in Figure 3-4, if ServerC fails, the CSS sends ServerC content requests
to ServerA because no other services were configured after ServerC.
ServerA
33% + 33%
ServerB
33%
ServerC
33%
67867
Figure 3-4
CSS
Figure 3-5 shows three cache services configured for failover linear. If you
suspend ServerB or if it fails, the CSS does not rebalance the services. It evenly
distribute ServerB cache workload between servers A and C.
Note that Figure 3-5 and Figure 3-6 use the alphabet to illustrate division balance.
ServerA
A-H
+
I-M
ServerB
suspended
I-Q
CSS
ServerC
R-Z
+
N-Q
67868
Figure 3-5
3-43
Chapter 3
Figure 3-6 also shows three cache services configured for failover linear, but in
this example, you remove ServerB using the remove service command from
owner-content mode. Because the CSS does not apply the failover setting when
you remove a service, it rebalances the remaining services.
ServerA
A-M
ServerB
removed
ServerC
N-Z
CSS
67869
Figure 3-6
Note
A Layer 5 content rule supports the HTTP CONNECT, GET, HEAD, POST,
PUSH, and PUT methods. The CSS recognizes and forwards the following HTTP
methods directly to the destination server in a transparent caching environment.
Note that the CSS does not load balance these HTTP methods. RFC-2068:
OPTIONS, TRACE; RFC-2518: PROPFIND, PROPPATCH, MKCOL, MOVE,
LOCK, UNLOCK, COPY, DELETE
3-44
78-13886-03
Chapter 3
The application command enables you to specify the following application types:
bypass - Bypass the matching of a content rule and sends the request directly
to the origin server
Note
You cannot specify both url urql and application ssl for the same content rule.
Note
For example, the following owner portion of a startup-config shows a content rule
configured for application ftp-control.
!************************** OWNER **************************
owner arrowpoint
content ftprule
vip address 192.3.6.58
protocol tcp
port 21
application ftp-control
3-45
Chapter 3
Showing Content
add serv1
add serv3
active
Showing Content
The show content command enables you to display content entries in the Content
Service Database (CSD) of the 11500 series CSS. This command is available in
all modes.
To display content from a specific module, and content entry location, in either
the CSS 11503 or CSS 11506, specify the show content command as follows:
show content slot slot_number {start-index index_number}
3-46
78-13886-03
Chapter 3
slot slot_number - Display content from the module located in a specific slot
in the CSS 1150 or CSS 1150 chassis. For the CSS 11503, the available
choices are 1 through 3. For the CSS 11506, the available choices are 1
through 6. If you do not specify a slot number, the CSS displays the content
entries from the SCM in slot 1 of the CSS.
Use the show content command with no options or variables to show all content
entries in the Content Service Database for a CSS 11501, 11503, or 11506.
For example, to look at the content from the module in CSS 11503 chassis slot 2,
starting at index 150, enter:
(config)# show content slot 2 start-index 150
Note
URQL entries are flagged with an asterisk (*) in the show content output.
Table 3-4
Field
Description
Pieces of
Content for
Slot
Subslot
Total Content
Index
<address>
78-13886-03
3-47
Chapter 3
Table 3-4
Field
Description
Protocol
Port
Best Effort
The QoS class of the content. This field is not used by the CSS
at this time.
Streamed
URL
Domain
show rule - Display all owners and content rules currently configured in the
CSS
3-48
78-13886-03
Chapter 3
Note
The CntRuleName and OwnerName fields display the first 16 characters of the
configured data. The URL field displays the first 10 characters of configured data.
Table 3-5 describes the fields in the show rule output.
Table 3-5
Field
Description
Name
Owner
Author
Index
State
3-49
Chapter 3
Table 3-5
Field
Description
Type
L3
Destination IP address.
L4
URL
URQL
EQL
DQL
Total Bytes
Total Frames
Total Redirects
Total Rejects
Overload Rejects
3-50
78-13886-03
Chapter 3
Table 3-5
Field
Description
Balance
3-51
Chapter 3
Table 3-5
Field
Balance (continued)
Description
3-52
78-13886-03
Chapter 3
Table 3-5
Field
Description
Advanced Balance
3-53
Chapter 3
Table 3-5
Field
Advanced Balance
(continued)
Sticky Mask
Description
3-54
78-13886-03
Chapter 3
Table 3-5
Field
Description
Sticky No Cookie Found The action the CSS should take for a sticky cookie
Action
content rule when it cannot locate the cookie header
or the specified cookie string in the client request.
The possible values are:
3-55
Chapter 3
Table 3-5
Field
Description
ArrowPoint Cookie
Expiration
3-56
78-13886-03
Chapter 3
Table 3-5
Field
Description
String Range
String Prefix
String Eos-Char
String
Ascii-Conversion
String Skip-Len
3-57
Chapter 3
Table 3-5
Field
Description
String Process-Len
String Operation
Redirect
Persistence
Param-Bypass
3-58
78-13886-03
Chapter 3
Table 3-5
Field
Description
Session Redundancy
IP Redundancy
Flow Timeout Multiplier Number of seconds that a flow remains idle before
the CSS reclaims the flow resources, as configured
with the flow-timeout-multiplier command. For
details on the flow-timeout-multiplier command,
refer to the Cisco Content Services Switch
Administration Guide.
Rule Services
Local Load
Threshold
PrimarySorryServer
SecondSorryServer
Name
Hits
3-59
Chapter 3
Table 3-5
Field
Wgt
Description
The weight for the service used when you configure
ACA, weighted roundrobin, and DFP load balancing
on the content rule. With a higher weight, the CSS
redirects more requests to the service. The letters
preceding the weight numbers have the following
meanings:
State
Ld
KAlive
Conn
DNS
DNS Names
DNS TTL
3-60
78-13886-03
Chapter 3
Table 3-5
Field
Description
DNS Balance
3-61
Chapter 3
Table 3-5
Field
Description
Hotlist
Size
Type
Threshold
Interval
Associated ACLs
Associated with all content rules or only the current content rule
Use the zero command and its options to clear the counters for content rules or
services associated with content rules, and set the counters to zero.
This section covers:
3-62
78-13886-03
Chapter 3
Note
If you issue the zero command without an option, only the counters for the current
content rule are set to zero.
For example, enter:
(config-owner-content[rule1])# zero all
zero total-connections - Set the Total Connections counter to zero for all
services associated with the specified content rule
zero state-transitions - Set the State Transitions counter to zero for all
services associated with the specified content rule
3-63
Chapter 3
You can issue the following zero commands from content mode:
For example, to clear a counter for all services associated with the specified
content rule, enter:
(config-owner-content[rule1])# zero total-connections
For example, to clear a counter for a specific service in a content rule, enter:
(config-owner-content[rule1])# zero total-connections service
serv1
Where to Go Next
Once you create content rules you can configure sticky parameters for the content
rules. For information on configuring sticky parameters, refer to Chapter 4,
Configuring Sticky Parameters for Content Rules.
3-64
78-13886-03
C H A P T E R
Sticky Overview
4-1
Chapter 4
Sticky Overview
Sticky Overview
During a session, the CSS maintains an association between a client and a server.
This association is referred to as stickiness. Stickiness enables transactions over
the Web when the a client must remain on the same server for the entire session.
Depending on the content rule, the CSS sticks a client to an appropriate server
after the CSS has determined which load balancing method to use.
If the CSS determines that a client is already stuck to a particular service, then the
CSS places the client request on that service, regardless of the load balancing
criteria specified by the matched content rule. If the CSS determines that the client
is not stuck to a particular service, it applies normal load balancing to the content
request.
Client cookies uniquely identify clients to the services providing content. A
cookie is a small data structure used by a server to deliver data to a Web client and
request that the client store the information. In certain applications, the client
returns the information to the server to maintain the state between the client and
the server.
When the CSS examines a request for content and determines through content rule
matching that the content is sticky, it examines any cookie or URL present in the
content request. The CSS uses this information to place the content request on the
appropriate server.
The CSS 11501 supports a 128K sticky table. The CSS 11503 or CSS 11506
supports either a 128K or 32K sticky table (depending whether the SCM has
288 MB or 144 MB of memory). When the CSS has 288 MB of memory, it
supports a 128K sticky table. When the CSS has 144 MB of memory, it supports
a 32K sticky table.The size of the sticky table means that once 128K (or 32K)
simultaneous users are on the site, the table wraps and the first users become
unstuck
4-2
78-13886-03
Chapter 4
Source IP address
SSL session ID
4-3
Chapter 4
Sticky Overview
Note
4-4
78-13886-03
Chapter 4
Note
Determine the sticky method you want to use according to the requirements
of the site (for example, Layer 3, Layer 4, or one of the string methods).
If you use advanced-balance methods cookies, url, or cookieurl, you must also:
Determine whether you want to use an exact string match or a hash, and then
configure that function.
4-5
Chapter 4
2.
Configure the sticky method using the advanced-balance command and its
options. The advanced-balance command options are described in
Specifying an Advanced Load-Balancing Method for Sticky Content later
in this chapter.
3.
4-6
78-13886-03
Chapter 4
b. For each service configuration, use the service mode string command to
configure the unique string that you want to use for matching each server.
For example, you have three servers and you want the string matching to
be serverid111 for service1, serverid112 for service2, and serverid113
for service3. Configure the Web server applications to use these strings
when they set cookies or pass parameters.
For information on the string operation match-service-cookie command,
see Specifying a String Operation later in this chapter.
To use the hash algorithm:
a. Enter the string operation command in the content rule.
b. Select an option (hash-a, hash-crc32, or hash-xor) depending on the
hash method you wish to use. Hashing requires that each server can
accept cookies set by all other servers.
Technical Support recommends using either hash-xor or hash-crc32,
depending on your string possibilities. If the strings are completely
dissimilar, use hash-xor. If the strings are similar, use hash-crc32. For
example, if your string values are abc1, abc2, and abc3, the hash-xor
method cannot provide you with enough variance in the hash values (that
is, abc1 and abc2 may end up on the same server because they may hash
to the same value).
For information on the string operation hash options, see Specifying a
String Operation later in this chapter.
4.
string range - Defining the string range enables you to limit the size of
the search. By default the CSS searches the first 100 bytes of the cookie,
URL, or parameters in the URL depending on the method. If you know
where in the cookie or URL the string is likely to appear, define the string
range accordingly. The range is from 1 to 2000. The default is 1 to 100.
The string range options are described in Configuring String Range
later in this chapter.
4-7
Chapter 4
string skip-length - Specifies the number of bytes to skip after the end
of the prefix within the string range. The range is 0 to 64.
For example, if you are using ipaddr=192.168.3.6&, then use the string
prefix ipaddr= and the string eos-char & because the IP addresses vary
in length.
For example, if you are using server ID=server111, then use the string prefix
server ID= and a string process-length of 8 because the string length does
not vary in length.
Table 4-1 describes sticky rules and how they apply to content rules.
Table 4-1
Rule Type
Sticky Configuration
advancedbalance sticky-srcip
4-8
78-13886-03
Chapter 4
Table 4-1
Note
Rule Type
Sticky Configuration
advancedbalance cookies or
advancedbalance cookieurl
advancedbalance ssl
4-9
Chapter 4
Specifying an Advanced Load-Balancing Method for Sticky Content
Note
advanced-balance cookies - Enables the content rule to stick the client to the
server based on the configured string found in the HTTP cookie header. You
must specify a port in the content rule to use this option. The CSS will then
spoof the connection. A content rule with a sticky configuration set to
advanced-balance cookies requires all clients to enable cookies on their
browser.
4-10
78-13886-03
Chapter 4
When a client makes an initial request, they do not have a cookie. But once
they go to a server that is capable of setting cookies, they receive the cookie
from the server. Each subsequent request contains the cookie until the cookie
expires. A string in a cookie can be used to stick a client to a server. The
service mode string command enables you to specify where the CSS should
locate the string within the cookie.
The CSS processes the cookie using:
An exact match that you set up when you configure the services.
Data for a hash algorithm. For more information, see Comparing Hash
4-11
Chapter 4
Specifying an Advanced Load-Balancing Method for Sticky Content
advanced-balance ssl - Enables the content rule to stick the client to the
server based on the Secure Socket Layer (SSL) version 3 session ID assigned
by the server. The application type must be SSL for the content rule. You must
specify a port in the content rule to use this option. The CSS will then spoof
the connection.
Sites where encryption is required for security purposes often use SSL. SSL
contains session IDs and the CSS can use these session IDs to stick the client
to a server. In order for the CSS to successfully provide SSL stickiness, the
application must be using SSL version 3 session IDs. Sticky SSL uses the
sticky table. If you are concerned about the number of concurrent sessions,
and not concerned about security, you should consider using the cookies,
cookieurl, or url option.
Note
4-12
78-13886-03
Chapter 4
sticky)
Load balances the request to a server
Stores the selected server and the key (hashed value of the MSISDN
4-13
Chapter 4
Note
You can use the advanced-balance wap-msisdn command alone or with the
MSISDN header field type. For a configuration example using both, see
Configuring Wireless Users for E-Commerce Applications later in this chapter.
To disable the advanced load-balancing method, enter:
(config-owner-content[arrowpoint-rule1])# advanced-balance none
Note
4-14
78-13886-03
Chapter 4
ssl-l4-fallback enable - The CSS inserts the Layer 4 hash value into the
sticky table (default setting).
ssl-l4-fallback disable - The CSS does not insert the Layer 4 hash value into
the sticky table and continues to look for SSL version 3 session IDs.
Note
For example, to disable the CSS from inserting the Layer 4 hash value into the
sticky table, enter:
(config)# ssl-l4-fallback disable
To reset the CSS back the default action of inserting a Layer 4 hash value into the
sticky table, enter:
(config)# ssl-l4-fallback enable
Note
4-15
Chapter 4
The syntax and options for this content mode command are:
To set the sticky failover method to its default setting of using the configured
load-balancing method, enter:
(config-owner-content[arrowpoint-rule1])# no
sticky-serverdown-failover
4-16
78-13886-03
Chapter 4
4-17
Chapter 4
4-18
78-13886-03
Chapter 4
Note
4-19
Chapter 4
Note
If the starting position is beyond the cookie, URL, or URL extension, the CSS
does not perform the string function. When the ending position is beyond the
cookie, URL, or URL extension, the string processing stops at the end of the
corresponding header.
Enter the start_byte as the starting byte position of the cookie, URL, or URL
extension after the header. Enter an integer from 1 to 1999. The default is 1.
Ensure that the starting byte position is less than the end byte.
Enter the end_byte as the ending byte position of the cookie, URL, or URL
extension. Enter an integer from 2 to 2000. The default is 100. Ensure that the
ending byte position is more than the start byte position.
If you are using advanced-balance:
cookies - The CSS starts counting after Cookie: (that is, cookie, colon,
space).
cookieurl - The CSS starts counting after the "Cookie: " string. If the CSS
does not find "Cookie: " in the HTTP request, it starts counting after the "?"
in the URL of the same request.
4-20
78-13886-03
Chapter 4
Note
Are only capable of accepting the cookies that they set, then you must use the
exact match method.
Can accept any cookies that are set by either a cookie server or other servers,
then you may use the hash method.
4-21
Chapter 4
Using the string operation hash algorithms may allow the Web server application
to be used without being modified. When you use the string operation
match-service-cookie method, you must modify the Web server application so
that each server generates a unique string. The hash algorithms may be able to
take advantage of strings already generated by the servers.
The syntax and options for this content mode command are:
hash key
hash-crc32 - Apply the CRC32 algorithm on the hash string to generate
a hash key
hash-xor - Exclusive OR (XOR) each byte of the hash string to derive
4-22
78-13886-03
Chapter 4
To reset the string operation to its default setting of choosing a server by matching
a service cookie in the sticky string, enter:
(config-owner-content[arrowpoint-rule1])# no string operation
The CSS derives a string result from the following string criteria commands:
string ascii-conversion
string eos-char
string prefix
string process-length
string skip-length
4-23
Chapter 4
4-24
78-13886-03
Chapter 4
4-25
Chapter 4
Configuring Sticky-No-Cookie-Found-Action
Configuring Sticky-No-Cookie-Found-Action
Note
loadbalance (default) - The CSS uses the configured balance method when
no cookie is found in the client request.
redirect URL - Redirects the client request to a specified URL string when
no cookie found in the client request. When using this option, you must also
specify a redirect URL. Specify the redirect URL as a quoted text string from
0 to 64 characters.
reject - Rejects the client request when no cookie is found in the request.
service name - Sends the no cookie client request to the specified service
when no cookie is found in the request.
4-26
78-13886-03
Chapter 4
For details on the show rule command, refer to Chapter 3, Configuring Content
Rules.
Configuring Sticky-No-Cookie-Found-Action
4-27
Chapter 4
4-28
78-13886-03
Chapter 4
When the CSS finds the cookie in the client request, it unscrambles the cookie
data and then validates it. Then, the CSS checks the cookie expiration time. If the
cookie has expired, the CSS sends a new cookie containing the information about
the server where the client was stuck. This appears as an uninterrupted
connection.
If the cookie format is valid, the CSS ensures the consistency between the cookie
and the CSS configuration. When all the validations are passed, the CSS forwards
the client request to the server indicated by the server identifier. Otherwise, the
CSS treats this request as an initial request.
The options for this content mode command are:
4-29
Chapter 4
Note
Do not use all zeros for days, hours, minutes, and seconds. This value is invalid.
For example, enter:
(config-owner-content[arrowpoint-rule1])# arrowpoint-cookie
expiration 08:04:03:06
To reset the expiration time to when the client exits the browser, enter:
(config-owner-content[arrowpoint-rule1])# no arrowpoint-cookie
expiration
Note
4-30
78-13886-03
Chapter 4
4-31
Chapter 4
4-32
78-13886-03
Chapter 4
content ruleNo012
vip address 192.168.128.151
protocol tcp
port 80
url "/*"
add service server21
add service server22
header-field-rule wapNo012
active
content ruleNoWap
vip address 192.168.128.151
protocol tcp
port 80
url "/*"
add service server31
add service server32
active
Where to Go Next
You can configure source groups, Access Control Lists (ACLS), Extension
Qualifier Lists (EQLs), Uniform Resource Locator Qualifier Lists (URQLs),
Network Qualifier Lists (NQLs), and Domain Qualifier Lists (DQLs). For
information, refer to Chapter 5, Configuring Source Groups, ACLs, EQLs,
URQLs, NQLs, and DQLs.
4-33
Chapter 4
4-34
78-13886-03
C H A P T E R
5-1
Chapter 5
5-2
78-13886-03
Chapter 5
Table 5-1
The CLI transitions into config-group mode where you can activate the
source group and configure attributes for it.
(config-group[ftpgroup])#
2.
Configure the source group VIP address to which all service IP addresses
will be translated. You can assign the same VIP address to multiple source
groups, but only one of the source groups can be active at a time. For
example, enter:
(config-group[ftpgroup])# vip address 172.16.36.58
3.
Add previously defined services to the source group. For example, enter:
(config-group[ftpgroup])# add service server1
(config-group[ftpgroup])# add service server2
4.
Activate the source group. Because a VIP address can belong only to one
active source group at a time, the CSS will not allow you to activate a
second source group that contains the same VIP address as the one in the
active source group.
(config-group[ftpgroup])# active
5-3
Chapter 5
Table 5-1
Create a content rule, add the same services and VIP that are configured in
the source group, and activate the content rule. The content rule enables the
CSS to match requests for the content rule VIP. When either server1 or
server2 replies to the request, the CSS NATs the server IP addresses to the
source group VIP.
For example, enter:
(config-owner[arrowpoint.com])# content ftpsource1
(config-owner-content[arrowpoint.com-ftpsource1])# add service
server1
(config-owner-content[arrowpoint.com-ftpsource1])# add service
server2
(config-owner-content[arrowpoint.com-ftpsource1])# vip address
172.16.36.58
(config-owner-content[arrowpoint.com-ftpsource1])# activate
5-4
78-13886-03
Chapter 5
Note
You can also use the group command from within group mode to access or create
another source group.
To remove a source group, enter:
(config)# no group ftpgroup
Note
To make certain modifications to an active source group, you must first suspend
the source group using the suspend command. Such modifications include:
changing the IP address to 0 or using the no ip address command, adding or
removing a service or destination service, or using the portmap command.
Note
5-5
Chapter 5
add service - Adds a service to a source group. You can configure a maximum
of 64 services per source group. A service may belong to only one group at a
time. When the source group is active and the same service is hit through a
content rule, ACL preferred service, or sorry service, the source group is used
to NAT (Network Address Translation) the source address. The service must
be active in order for it to perform source address NATing for the source
group (refer to Chapter 1, Configuring Services).
Be aware that you cannot use a service with:
The same name in other source groups or the destination service list
vip address - Specifies the source Virtual IP address (VIP) for the group. The
CSS substitutes this IP address for the source address in flows originating
from one of the groups sources. You can assign the same VIP address to
multiple source groups, but only one of the source groups can be active at a
time.
portmap - Defines the source port translation of flows from the services
configured in a source group. By default, portmapping is enabled for source
groups on source ports greater than 1023. The CSS translates such source
ports to a range starting at 8192. Use the following portmap options to change
the default portmapping behavior of the CSS. The syntax and options for this
group mode command are:
portmap base-port base_number - Defines the base port (starting port
number) for the CSS. Enter a base number from 2016 to 63456. The
default is 2016.
To reset the starting port number to its default value of 2016, use the
no portmap base-port command.
portmap number-of-ports number - Defines the number of ports in the
portmap range for each Switch Processor (SP) in an 11500 series CSS or
a Switch Fabric Processor (SFP) in an 11000 series CSS. Enter a number
from 2048 to 63488. The default is 63488.
To reset the number of ports to the default value, use the no portmap
number-of-ports command.
5-6
78-13886-03
Chapter 5
Translation (NAT) only on the source IP addresses and not on the source
ports of UDP traffic hitting a particular source group. Use this option for
Wireless Application Protocol (WAP) or other applications where you
need to preserve the registered UDP port number for return traffic.
Note
The CSS maintains but ignores any base-port or number-of ports (see
the previous options) values configured in the source group. If you later
reenable portmapping for that source group, any configured base-port or
number-of ports values will take effect. The default behavior for a
configured source group is to NAT both the source IP address and the
source port for port numbers greater than 1023.
To restore the default CSS behavior of NATing source IP addresses and
source ports for a configured source group, use the portmap enable
command.
suspend - Suspends a source group. The group and its attributes remain the
same but no longer have an effect on flow creation.
Note
When you use an FTP content rule with a configured VIP address range, be sure
to configure the corresponding source group with the same VIP address range
(refer to Chapter 3, Configuring Content Rules).
5-7
Chapter 5
Configure a content rule as required using the VIP that will be load balanced
across multiple servers. The following example shows the portion of a
running-config for content rule ftp_rule. Ensure that you use the application
ftp-control command to define the application type.
content ftp_rule
vip address 192.168.3.6
protocol tcp
port 21
application ftp-control
add service serv1
add service serv2
add service serv3
active
2.
Configure a source group defining the same VIP and services as configured
in the content rule.
Note
192.168.3.6
serv1
serv2
serv3
5-8
78-13886-03
Chapter 5
2.
Create a content rule to process DNS replies. The content rule to process DNS
replies is in addition to the content rules you created to process Web traffic.
The content rule example below enables the CSS to NAT inbound DNS
replies from the public VIP address (192.200.200.200) to the servers private
IP address (10.0.3.251).
The following example creates content rule dns1 with a public VIP
192.200.200.200 and adds server Server1.
(config-owner[arrowpoint.com])# content dns1
(config-owner-content[arrowpoint.com-dns1])# vip address
192.200.200.200
(config-owner-content[arrowpoint.com-dns1])# add service Server1
(config-owner-content[arrowpoint.com-dns1])# active
5-9
Chapter 5
3.
Create a source group to process DNS requests. The source group enables the
CSS to NAT outbound traffic source IP addresses from the servers private IP
address (10.0.3.251) to the public VIP address (192.200.200.200).
To prevent server source port collisions, the CSS NATs the servers source IP
address and port by translating the:
Port to the port selected by the source group. The source group assigns
each server a unique port for a DNS query so that the CSS can match the
DNS reply with the assigned port. This port mapping enables the CSS to
direct the DNS reply to the correct server.
The following example creates source group dns1 with public VIP address
192.200.200.200 and adds the service Server1.
(config)# group dns1
(config-group[dns1])# vip address 192.200.200.200
(config-group[dns1])# add service Server1
(config-group[dns1])# active
show group group_name portmap - Display the starting port number and
number of ports configured on each SP in a 11500 series CSS (or SFP in a
11000 series CSS)
5-10
78-13886-03
Chapter 5
Field
Description
Group
Session Redundancy
Redundancy Global
Index
Associated ACLs
Source/Destination
Services
Name
Hits
State
DNS Load
5-11
Chapter 5
Table 5-2
Field
Description
Trans
Keepalive
Conn
Flow Timeout
Multiplier
Group Cumulative
Counters
Hits/Frames/Bytes The number of group hits, frames, and bytes. This field
is incremented for traffic from a group server going out
from the source group. Traffic coming into the group
does not increment the counter.
Connection
Total/Current
FTP Control
Total/Current
SP (or SFP)
Base Port
5-12
78-13886-03
Chapter 5
Table 5-2
Field
Description
Configured Base
Port
Configured Ports
SP (or SFP)
Current Mapped
Ports
5-13
Chapter 5
Creating an ACL
Creating an ACL
Deleting an ACL
Configuring Clauses
Deleting a Clause
Showing ACLs
ACL Example
Note
5-14
78-13886-03
Chapter 5
The total number of ACL hits for each packet received by the CSS can vary
depending on the type of flow and whether an ACL match occurred. The CSS
performs an ACL check for every packet received until the flow is completely set
up.
For Content Hits, a flow can be defined as a stream of UDP and TCP packets
between a client and a server. The CSS must receive a number of packets from
the client and the server before it can completely set up the flow. All of these
packets, received before the flow is completely set up, are subject to ACL
checks and can cause increments to the ACL Content Hits counter.
For Router Hits, all non-TCP or UDP packets subjected to ACL checks cause
increments to the ACL Router Hits counter. All UDP and TCP traffic
terminating on the CSS (for example, a Telnet or FTP session) cause
increments to the ACL Router Hits counter.
ACLs provide a basic level of security for accessing your network. If you do not
configure ACLs on the CSS, all packets passing through the CSS could be allowed
onto the entire network. For example, you may want to permit all email traffic, but
block Telnet traffic. You can also use ACLs to allow one client to access a part of
the network and prevent another client from accessing the same area.
Caution
ACLs function as a firewall security feature. When you enable ACLs, all traffic
not configured in an ACL permit clause will be denied. It is extremely important
that you first configure an ACL to permit traffic before you enable ACLs. If you
do not permit any traffic, you will lose network connectivity. Note that the console
port is not affected.
Cisco recommends that you configure either a permit all or a deny all clause
depending on your ACL configuration. For example, you could first configure a
permit all clause and then configure deny clauses for only the traffic you wish to
deny. Or, use the default deny all clause and configure permit clauses only for the
traffic you wish to permit.
5-15
Chapter 5
Create an ACL and access ACL mode. Define the ACL index number from
1 to 99.
(config)# acl 7
(config-acl[7])#
2.
If you are load-balancing passive FTP servers and you want to use an ACL
to apply a source group, you must configure services directly in the source
group. For details on using source groups to support FTP sessions, see
Configuring a Source Group for FTP Connections earlier in this chapter.
3.
Apply the ACL to a specific circuit or add the ACL to DNS queries. For
example, to apply acl 7 to circuit VLAN1, enter:
(config-acl[7])# apply circuit-(VLAN1)
4.
Enable all ACLS on the CSS. Enter the global acl enable command for all
ACLs to take effect. You can enable ACL mode even if no ACLs are
configured. When you enable ACLs, all traffic not specifically permitted in
an ACL permit clause is denied by default. For example, enter:
(config)# acl enable
5-16
78-13886-03
Chapter 5
Caution
When you enter the acl enable command, all traffic is denied except for traffic
specified in an ACL permit clause.
Creating an ACL
To create an ACL and access ACL mode, use the acl index number command. The
index number defines the ACL and can range from 1 to 99. To display a list of
existing ACLs, use the acl ? command.
(config)# acl 7
When you access this mode, the prompt changes to the ACL mode of the index
number you created. For example, enter:
(config-acl[7])#
Deleting an ACL
To delete an ACL, use the no acl command followed by the index number you
wish to delete. For example, enter:
(config)# no acl 2
Configuring Clauses
To control traffic on a circuit, the CSS enables you to enter clauses in a specific
ACL. When implementing an ACL, the number assigned to each clause is very
important. The CSS looks at the ACL starting from clause 1 and sequentially
progresses through the rest of the clauses. Assign the lowest clause numbers to
clauses with the most specific matches. Then, assign higher clause numbers to
clauses with less specific matches.
You do not need to enter the clauses sequentially. The CSS automatically inserts
the clause in the appropriate order in the ACL. For example, if you enter clauses
10 and 24, and then clause 15, the CSS inserts the clauses in the correct sequence.
5-17
Chapter 5
Clause number is the number you want to assign to the clause. Enter a number
from 1 to 254. To create a clause to permit, deny, or bypass traffic on a circuit, use
the clause command.
Note
Ensure that ACLs associated with a source group specified in the clause
command are globally enabled for the ACL to properly map to the source group
(see Globally Enabling ACLs later in this chapter).
The syntax for the clause command is:
clause number deny - Creates a clause in the ACL to deny traffic on a circuit.
The syntax for clause deny is:
clause number deny protocol [source_info {source_port}]
dest [dest_info {dest_port}] {sourcegroup name} {prefer
servicename}
Note
If you specify both a source group and a preferred service in a clause, you must
specify the source group before you specify the preferred service within the
clause.
5-18
78-13886-03
Chapter 5
Table 5-4 provides variables and options for the clause command. Bolded syntax
defines keywords that you enter on the command line. Italics define variables
where you enter a value such as an IP address or host name.
Note
Note
When a destination in an ACL clause is a Layer 5 content rule, the CSS does not
spoof the connection. Therefore, the ACL clause does not function as would be
expected. As a workaround, you may configure an additional clause to permit the
TCP IP addresses and ports. Be aware that content will be matched on both
clauses. For example,
clause 14 permit any any destination content Layer5/L5 eq 80 (original clause)
clause 15 permit tcp any destination 200.200.200.200 eq 80 (This is an additional
clause to handle the SYN, where the destination IP address is the IP address
configured in the Layer 5 content rule. Note that this clause number must be
greater than the destination content clause number.)
Table 5-4
Variables and
Options
Parameters
number
action
protocol
The protocol for the traffic type. Enter one of the following:
any, icmp, igp, igmp, ospf, tcp, udp.
5-19
Chapter 5
Table 5-4
Variables and
Options
Parameters
source_info
source_port
5-20
78-13886-03
Chapter 5
Table 5-4
Variables and
Options
destination_info
Parameters
The destination information for the traffic. Enter one of the
following:
5-21
Chapter 5
Table 5-4
Variables and
Options
destination_port
Parameters
The destination port. Enter one of the following. You may
use a port number or port name with the options.
5-22
78-13886-03
Chapter 5
Table 5-4
Variables and
Options
Parameters
sourcegroup
name
prefer
service_name
Deleting a Clause
To delete a clause, use the no clause command. For example, enter:
(config-acl[7]) no clause 6
5-23
Chapter 5
Note
Before you configure logging for a specific ACL clause, ensure that global ACL
logging is enabled. To globally enable ACL logging, use the (config)# logging
subsystem acl level debug-7 command.
Because the CSS does not save the clause log enable command in the
running-config, you must reenable logging if the CSS reboots.
To configure logging for an ACL clause:
1.
Enter the ACL mode for which you want to enable logging.
(config)# acl 7
(config-acl[7])#
2.
Remove the ACL from the circuit. You must remove an ACL from a circuit
before making any clause changes.
(config-acl[7]) remove circuit-(VLAN1)
3.
4.
5-24
78-13886-03
Chapter 5
Note
You cannot apply an empty ACL to a circuit. If you attempt to do so, the error
message Cannot apply ACL for it has no clauses appears.
To add a new clause to an existing and applied ACL, reapply the ACL to the circuit
with the apply circuit command.
To apply any changes to an existing clause on an existing and applied ACL, you
must remove the ACL from the circuit with the (config-acl) remove command,
and then reapply the ACL to the circuit.
To remove a clause currently in use, you must remove its applied ACL from the
circuit, delete the clause, and then reapply the ACL to the circuit.
The syntax and options for this ACL mode command are:
Note
If you configure a CSS with the dns-server command, and the CSS receives a
DNS query for a domain name that you configured on the CSS using the host
command, the DNS query will not match on an ACL that is configured with the
apply dns command.
However, if you configure a domain name on a content rule on a CSS using the
add dns domain_ name command, a DNS query for that domain name will match
on an ACL that is configured with the apply dns command.
For example, to apply acl 7 to circuit VLAN1:
(config-acl[7])# apply circuit-(VLAN1)
5-25
Chapter 5
Note
You must enter the global acl enable command for ACLs to take effect. For
information on the acl enable command, see Globally Enabling ACLs later in
this chapter.
Note
To remove a clause currently in use, you must remove its applied ACL from the
circuit, delete the clause, and then reapply the ACL to the circuit.
The syntax and options for this ACL mode command are:
remove all - Removes the ACL from an individual circuit. To display a list of
circuits that you can remove, use the remove ? command.
Caution
When you enter the acl enable command, all traffic is denied except for traffic
specified in an ACL permit clause.
To globally enable all ACLs, enter:
(config)# acl enable
5-26
78-13886-03
Chapter 5
Showing ACLs
Use the show acl commands to display access control lists and clauses. The show
acl commands are available in all modes.
When you show an ACL clause that is applied to a circuit, the display includes:
Content Hits - A flow can be defined as a stream of UDP and TCP packets
between a client and a server. The CSS must receive a number of packets from
the client and the server before it can completely setup the flow. All of these
packets, received before the flow is completely setup, are subject to ACL
checks and can cause increments to the ACL Content Hits counter.
Router Hits - All non-UDP and -TCP packets subjected to ACL checks cause
increments to the ACL Router Hits counter. All UDP and TCP traffic
terminating on the CSS (for example, a Telnet or FTP session) cause
increments to the ACL Router Hits counter.
When you show an ACL clause that is applied to DNS queries, the display
includes a DNS hit counter, which counts DNS lookups.
The syntax is:
show acl index - Displays the clauses for the specified ACL index number
(valid numbers are 1 to 99).
show acl config - Shows the ACL global configuration. This display also
shows you which ACLs are applied to which circuits.
5-27
Chapter 5
Note
The total number of ACL hits for each packet received by the CSS can vary
depending on the type of flow and whether an ACL match occurred. The CSS
performs an ACL check for every packet received until the ACL flow is
completely setup. Once the ACL flow is setup, remaining packets received by the
CSS that are associated with the flow are not subject to an ACL match and the
ACL hit counters do not increment.
Table 5-5
Field
Description
Acl
Clause
Action
Source
Destination
Log
Content
Hits
Router Hits
DNS Hits
5-28
78-13886-03
Chapter 5
ACL Example
The following ACL provides security for a CSS, Server1, and Server2 on one
VLAN (VLAN1). The ACL:
Permits clients from subnet 172.16.107.x to launch a browser with the URL
172.16.107.35 (the Virtual IP address)
Clause 60 permits UDP to port 520 on the VLAN for RIP updates. This clause
is required if your router is on a subnet other than 172.16.107.x.
Clause 70 denies everything that has not been permitted in the ACL.
!**************************** ACL ***************************
acl 1
clause 20 permit any 172.16.107.0 255.255.255.0 destination
172.16.107.15
clause 30 permit any 172.16.107.0 255.255.255.0 destination
172.16.107.16
5-29
Chapter 5
To remove an existing EQL, use the no eql command from config mode. For
example, enter:
(config)# no eql graphics
Once you create an EQL, you can configure the following attributes for it:
description - Provides a description for the EQL. Enter a quoted text string
with a maximum length of 64 characters. For example, enter:
(config-eql[graphics])# description This EQL specifies graphic
file extensions
extension name - Specifies the extension name for content on which you want
the CSS to match. Enter a text string from 1 to 7 characters. When configuring
EQLs for services, make sure you enter an extension for static content such
as .avi, .gif, or .jpg. Do not enter extensions for dynamic content such as .asp
and .html. The order in which you enter extensions is irrelevant.
For example, enter:
(config-eql[graphics])# extension pcx
5-30
78-13886-03
Chapter 5
Note
Do not specify a file extension in the URL when you use an EQL in the URL or
the CSS will return an error message. For example, the CSS will return an error
message for the command url /*.txt eql graphics. The following command is
valid; url /* eql graphics.
For example, enter:
(config-owner-content[arrowpoint.com-products.html])# url /* eql
graphics
The following example enables the CSS to direct all requests to the correct service
for content that matches:
Pathnames (/customers/products)
5-31
Chapter 5
To display an EQL name and extensions configured for a content rule, use the
show rule command.
For details on the show rule command and its output, refer to Chapter 3,
Configuring Content Rules.
Field
Description
EQL
Extensions
5-32
78-13886-03
Chapter 5
Note
You cannot specify both url urql and application ssl within the same content
rule.
Creating a URQL
To access URQL configuration mode, use the urql command. The prompt
changes to (config-urql [name]). You can also use this command from URQL
mode to access another URQL.
Enter the URQL name you want to create or enter an existing URQL. Enter the
name as an unquoted text string with no spaces and a maximum of 31 characters.
When you create a URQL, it remains suspended until you activate it using the
activate command in urql mode. To display a list of existing URQL names, enter:
(config)# urql ?
5-33
Chapter 5
Configuring Uniform Resource Locator Qualifier Lists
2.
3.
Add the URQL to a content rule using the owner-content url command.
4.
Note
You must create the URL entry before you can define the URL, describe it, or
associate it with a content rule.
To remove a URL entry from a URQL, use the no url command. For example,
enter:
(config-urql[videos])# no url 10
5-34
78-13886-03
Chapter 5
To specify additional URL entries in the URQL, reenter the url command. For
example, enter:
(config-urql[videos])# url 20
(config-urql[videos])# url 30
(config-urql[videos])# url 40
To remove a URL from an entry, use the no url number url command. Use this
command to remove a previously assigned URL before you redefine the URL for
an entry. For example, enter:
(config-urql[videos])# no url 10 url
To define additional URL for the entries, reenter the url entry url command. For
example, enter:
(config-urql[videos])# url 20 url /cooking/fudge.avi
(config-urql[videos])# url 30 url /cooking/pie.avi
(config-urql[videos])# url 40 url /cooking/cake.avi
5-35
Chapter 5
Configuring Uniform Resource Locator Qualifier Lists
Note
You must assign a domain before you can activate a URQL. To change the domain
address of an existing URQL, suspend the URQL and then change the domain.
For example, enter:
(config-urql[videos])# domain www.arrowpoint.com
or
(config-urql[videos])# domain 192.168.11.1
Note
You cannot specify both url urql and application ssl within the same content
rule.
For example, enter:
(config-owner-content[chefsbest-recipes])# url urql videos
To display a URL for a content rule, use the show rule command for the content
rule. For details on the show rule command and its output, refer to Chapter 3,
Configuring Content Rules.
5-36
78-13886-03
Chapter 5
Activating a URQL
Use the active command to activate a suspended URQL. When you create a
URQL, it is suspended until you use the active command to activate it.
Note
Before you can activate a URQL, you must assign the domain for the URLs. See
Designating the Domain Name of URLs in a URQL in this chapter.
For example, enter:
(config-urql[videos])# active
Suspending a URQL
Use the suspend command to deactivate a URQL on all currently assigned
content rules. For example, enter:
(config-urql[videos])# suspend
5-37
Chapter 5
Configuring Uniform Resource Locator Qualifier Lists
Showing URQLs
To display a list of URQLs, enter:
(config)# urql ?
Field
Description
Name
Description
Domain
Create Type
5-38
78-13886-03
Chapter 5
Table 5-7
Field
Description
State
Rules Associated
Table 5-8 describes the additional fields when you display a specified URQL.
Table 5-8
Field
Description
URQL Table
Domain
Number of entries
configured
URL
The URL
Description
Create Type
State
CSD Entries
5-39
Chapter 5
Creating an NQL
Describing an NQL
Creating an NQL
Enter the name of the new NQL you want to create or an existing NQL. Enter the
name as an unquoted text string with no spaces and a maximum of 31 characters.
You can create a maximum of 512 NQLs per CSS.
For example, enter:
(config)# nql bypass_nql
(config-nql[bypass_nql])#
To display a list of existing NQLs, use the nql ? command. If no NQLs currently
exist, the CSS prompts you to enter a new name.
To remove an existing NQL, use the no nql command. For example, enter:
(config)# no nql bypass_nql
5-40
78-13886-03
Chapter 5
Describing an NQL
Use the description command in NQL mode to provide a description for an NQL.
Enter the NQL description as a quoted text string with a maximum length of
63 characters.
For example, enter:
(config-nql[bypass_nql])# description Bypass services
log - Logs an event involving an NQL. If you do not enter this option, events
are not logged. To log an NQL event, you must enable global NQL logging.
To enable global NQL logging, use the (config) logging subsystem nql level
debug-7 command. For logging information, refer to the Cisco Content
Services Switch Administration Guide.
5-41
Chapter 5
To log events occurring on a network, you must also enable global NQL logging.
For example, enter:
(config)# logging subsystem nql level debug-7
Note
If you do not include a description or turn on logging when you create the entry
and later wish to add a description or turn on logging, you must first remove the
entry and then add it again with the desired options.
To remove an IP address from an NQL, use the no ip address command. For
example, enter:
(config-nql[bypass_nql])# no ip address 192.168.0.0/16
2.
5-42
78-13886-03
Chapter 5
show nql - Displays information for all NQLs. If you enter this command in
NQL mode, the CSS displays the addresses only for the current NQL.
show nql nql_name - Displays information for the specified NQL. Enter the
NQL name as a case-sensitive unquoted text string with no spaces. To see a
list of existing NQL names, use the show nql ? command.
Field
Description
Name
Description
IP Addresses
5-43
Chapter 5
Note
The CSS supports a maximum of 512 DQLs, with a maximum of 2,500 DQL
domain name entries. This means that a single DQL can have up to 2500 entries,
or five DQLs can have up to 500 entries for each DQL.
DQLs exist independently of any range mapping. You can use them as a matching
criteria to balance across servers that do not have VIP or port ranges. If you want
to use range mapping when using range services, you need to consider the index
of any domain name in the DQL. If you are not using service ranges with DQLs,
you do not need to configure any index and the default index is 1.
For example, you could configure a DQL named Woodworker.
(config)# dql Woodworker
The domain names you could add as part of the DQL include www.wood.com,
www.woodworker.com, www.maple.com, www.oak.com. You could configure
www.wood.com and www.woodworker.com to have the same mapping index. You
can enter indexes from 1 to 1000 and provide an optional quoted description for
each index.
For example, enter:
(config-dql[Woodworker]# domain
same as the woodworker domain
(config-dql[Woodworker]# domain
(config-dql[Woodworker]# domain
(config-dql[Woodworker]# domain
If you specify a DQL as a matching criteria for content rule WoodSites, and there
are two services, S1 and S2, associated with the rule, the CSS checks the services
at mapping time for ranges. To add a DQL to a content rule, use the url command
as shown:
(config-owner-content[WoodSites])# url /* dql Woodworker
For example, if the CSS receives a request for www.oak.com along with other
criteria, a match on the WoodSites rule occurs on DQL index 3. If the rule has the
roundrobin balance method configured, the CSS examines a service (S2 for this
example) to determine the backend connection mapping parameters. If you
configured S2 with a VIP address of 10.0.0.1 with a range of 5, the addresses
include 10.0.0.1 through 10.0.0.5. Because this service has a range of address and
any as its port, the DQL index of 3 matches the service VIP range index of 3,
which is address 10.0.0.3.
5-44
78-13886-03
Chapter 5
To access DQL configuration mode, use the dql command from any configuration
mode except boot, group, RMON alarm, RMON event, and RMON history
configuration modes. The prompt changes to (config-dql [name]). You can also
use this command from DQL mode to access an existing DQL.
See the following sections to configure a DQL:
Creating a DQL
Describing a DQL
Creating a DQL
To create a new DQL, enter the name of the DQL you want to create as an
unquoted text string with no spaces and a maximum of 31 characters. To access
an existing DQL, enter the DQL name. To display a list of existing DQL names,
use the dql ? command.
For example, to configure a DQL:
(config)# dql pet_domains
(config-dql[pet_domains])#
Describing a DQL
Use the description command to provide a description for DQL. Enter the
description as a quoted text string with a maximum of 63 characters, including
spaces.
For example, enter:
(config-dql[pet_domains])# description pet supplies
5-45
Chapter 5
Note
name - The name of the domain. Enter an unquoted text string with a
maximum of 63 characters (for example, www.arrowpoint.com). The CSS
matches the domain name exactly.
number - The index number for the domain. Enter a number from 1 to 10000.
If a domain has more than one domain name, you can assign the same index
number to its different names.
The CSS supports a maximum of 512 DQLs, with a maximum of 2,500 DQL
domain name entries. This means that a single DQL can have up to 2500 entries,
or five DQLs can have up to 500 entries for each DQL.
For example, enter:
(config-dql[pet_domains])# domain www.birds.com index 1
idaho-based
(config-dql[pet_domains])# domain www.cats.com index 2 worldwide
(config-dql[pet_domains])# domain www.horses.com index 3
florida-based
Normally, port 80 traffic does not use a port number in the domain name. To
specify a port other than port 80, enter the domain name with the port number
exactly. Separate the domain name and the port number with a colon. For
example, enter:
(config-dql[pet_domains])# domain www.dogs.com:8080 index 4
To add or delete a domain name from a DQL that is assigned to a content rule, you
must first suspend the content rule using the suspend command. You cannot make
changes to a DQL currently in use by a content rule.
5-46
78-13886-03
Chapter 5
Field
Description
Name
Index
5-47
Chapter 5
Field
Description
Description
Index
Domain
Content rules with either a range of VIPs or a DQL (but not both). This would
allow the CSS to map the range of VIPs or the domain names in the DQL to
the servers.
Content rules with either a range of VIPS or a DQL (but not both) that would
map to a server without a range. This allows the CSS to map many domain
names to one server.
You can configure the CSS to load balance the Web sites by configuring port
ranges, VIP ranges, or DQLs. For more information on the service and content
rule commands required, see Chapter 1, Configuring Services and Chapter 3,
Configuring Content Rules.
5-48
78-13886-03
Chapter 5
See Table 5-11 for the steps required to configure virtual Web hosting.
Table 5-11 Virtual Web Hosting Configuration Quick Start
2.
Create a service.
(config)# service serv1
(config-service[serv1])#
3.
Assign an IP address to the service and define the IP address range. Enter a
number from 1 to 65535.
When using the ip address range command, use IP addresses that are
within the subnet you are using. The CSS does not use ARP for IP addresses
that are not on the circuit subnet.
(config-service[serv1])# ip address 10.3.6.1 range 200
4.
5.
protocol tcp
keepalive type http
keepalive method get
keepalive uri /index.html
6.
7.
Configure a VIP. You can define a VIP range only if you do not plan to
configure a DQL.
(config-owner-content[arrowpoint-rule1])# vip address 192.168.3.6
range 10
When using the vip address range command, use IP addresses that are
within the subnet you are using. The CSS does not use ARP for IP addresses
that are not on the circuit subnet.
5-49
Chapter 5
Where to Go Next
9.
10. If you have not configured a VIP range, you can create a DQL.
(config)# dql pet_domains
(config-dql[pet_domains])#
12. Add the DQL to the content rule using the url command.
(config-owner-content[arrowpoint-rule1])# url /* dql
pet_domains
Where to Go Next
You can configure HTTP header load balancing by creating an HTTP header field
group and configuring HTTP header fields. For information, see Chapter 6,
Configuring HTTP Header Load Balancing.
5-50
78-13886-03
C H A P T E R
Note
You must enable service remapping for HTTP header load balancing to work
properly. For information on the service remapping feature, refer to Chapter 3,
Configuring Content Rules.
6-1
Chapter 6
Domain name, IP address, protocol, port, URL, HTTP header field group
2.
3.
4.
6-2
78-13886-03
Chapter 6
2.
Create a header field group. This example creates the group ppilot.
(config)# header-field-group ppilot
(config-header-field-group[ppilot])#
3.
4.
Configure header field entries by defining a header, field, name, field type,
and operator.
(config-header-field-group[ppilot])# header-field palm1
user-agent contain MSIE 20
5.
6.
6-3
Chapter 6
Note
The CSS supports a maximum number of 1024 header field groups, with a
maximum of 4096 header field entries.
Note
When there is more than one header field entry in a group, each header field entry
must be successfully matched before the CSS uses the associated content rule.
To create a header field group or to access header field group configuration mode,
use the header-field-group command from all configuration modes except boot
and RMON modes.
The prompt changes to (config-header-field-group [group_name]). You can also
use this command in header-field-group mode to access another group.
The syntax for this mode transition command is:
header-field-group group_name
Enter the group_name of the header-field group you want to create. You must
define a unique name for each header field group so different content rules can
use the groups. Enter a text string with a maximum of 32 characters. To see an
existing list of header-field groups, use the header-field-group ? command.
For example, enter:
(config)# header-field-group ppilot
(config-header-field-group[ppilot])#
6-4
78-13886-03
Chapter 6
Note
The CSS supports a maximum number of 1024 header field groups, with a
maximum of 4096 header field entries.
The syntax for this command is:
header-field name field_type operator {header_string {search_length}}
6-5
Chapter 6
name - The name uniquely identifies the header field entry. Enter the name as
a string from 1 to 31 characters. You must define a header field entry name
because the CSS can use the same field type multiple times in a header field
group.
HTTP requests from some wireless gateways contain the MSISDN field
in the HTTP header. By configuring the msisdn header field type in a
header field group, you can load balance wireless requests. See Example
3. Wireless configuration that load balances HTTP requests based on the
MSISDN header field later in this chapter.
Note
6-6
78-13886-03
Chapter 6
To remove a header field entry, use the no header-field command. For example,
enter:
(config-header-field-group[ppilot])# no header-field palm1
6-7
Chapter 6
Note
The CSS supports only one header field group for each content rule.
The syntax for this content mode command is:
header-field-rule name {weight number}
The variables are:
name - The name of the header field group used with the content rule. To see
a list of groups, use the header-field-rule ? command.
weight number - The weight you want to assign to the header field group.
Enter a number from 0 to 1024. The default weight is 0.
To remove the header field group from the content rule, enter:
(config-owner-content[arrowpoint-rule1])# no header-field-rule
6-8
78-13886-03
Chapter 6
For example, to show a summary of all configured header field groups, enter:
(config)# show header-field-group
Field
Description
6-9
Chapter 6
6-10
78-13886-03
Chapter 6
content ruleA1
protocol tcp
vip address 192.168.128.151
port 80
url /*
header-field-rule A
add service server11
add service server12
content ruleA2
protocol tcp
vip address 192.168.128.151
port 80
url /*
header-field-rule B
add service server21
add service server22
content ruleA3
protocol tcp
vip address 192.168.128.151
port 80
url /*
header-field-rule C
add service server31
add service server32
Example 2. Header field group configuration that broadens the rule-matching capabilities.
Example 2 shows the same configuration as Example 1 only modified to broaden
the rule-matching capabilities. Each content rule is specific. The client request
specifying the language as French and the user-agent as Netscape will match only
on Rule A2.
! ***************** HEADER FIELD GROUP ********************
header-field-group A
header-field ual language equal en
header-field ua2 user-agent contain Netscape
header-field-group B
header-field ua3 language equal fr
header-field ua4 user-agent contain Netscape
header-field-group C
header-field ua5 language equal en
header-field ua6 user-agent not-contain Netscape
6-11
Chapter 6
header-field-group D
header-field ua7 language equal fr
header-field ua8 user-agent not-contain Netscape
! ********************** OWNER ***************************
owner arrowpoint
content ruleA
protocol tcp
vip address 192.168.128.151
port 80
url /*
add service server1
add service server2
content ruleA1
protocol tcp
vip address 192.168.128.151
port 80
url /*
header-field-rule A
add service server11
add service server12
content ruleA2
protocol tcp
vip address 192.168.128.151
port 80
url /*
header-field-rule B
add service server21
add service server22
content ruleA3
protocol tcp
vip address 192.168.128.151
port 80
url /*
header-field-rule C
add service server31
add service server32
content ruleA4
protocol tcp
vip address 192.168.128.151
port 80
url /*
6-12
78-13886-03
Chapter 6
header-field-rule D
add service server41
add service server42
Example 3. Wireless configuration that load balances HTTP requests based on the MSISDN header field
Example 3 shows a configuration that makes load-balancing decisions based on
whether or not a client is a wireless client. Wireless devices use the Wireless
Application Protocol (WAP). When a wireless client sends a request for content,
the WAP protocol gateway (a device that translates requests from the WAP
protocol stack to the WWW protocol stack) generates the MSISDN field and adds
it to the HTTP header. You can test for the presence of the MSISDN header field
using the exist and not-exist operators in the header field entry of a header field
group. Then, you can make load-balancing decisions based on the presence or
absence of the MSISDN header field. For details on configuring the MSISDN
header field type, see Configuring a Header Field Entry earlier in this chapter.
In the following example, any TCP port 80 traffic destined for VIP
192.168.128.151 that has the MSISDN field in the HTTP header will hit the
content rule ruleWap. Any TCP port 80 traffic destined for 192.168.128.151 that
does not have the MSISDN field in the HTTP header will hit the content rule
ruleNoWap.
header-field-group wap
header-field 1 msisdn exist
owner arrowpoint
content ruleWap
vip address 192.168.128.151
protocol tcp
port 80
url /*
add service server1
add service server2
header-field-rule wap
active
content ruleNoWap
vip address 192.168.128.151
protocol tcp
port 80
url /*
add service server21
add service server22
active
6-13
Chapter 6
Note
You can use the MSISDN header field with the advanced-balance wap-msisdn
command to configure wireless users for e-commerce applications. For details on
configuring a wireless user, refer to Chapter 4, Configuring Sticky Parameters for
Content Rules, Configuring Wireless Users for E-Commerce Applications.
Where to Go Next
You can configure the CSS for content caching using content rules and a service
type that supports caching. For information about configuring the CSS for content
caching, refer to Chapter 7, Configuring Caching.
6-14
78-13886-03
C H A P T E R
Configuring Caching
This chapter provides an overview of the CSS caching feature and describes how
to configure it for operation. Information in this chapter applies to all CSS
models, except where noted.
The chapter includes the following sections:
Caching Overview
Configuring Caching
Caching Overview
Increasing demand for information on the Internet causes congestion and long
delays in retrieving information. Because much of the same information is
retrieved over and over again, saving and storing this information can satisfy
subsequent requests with more efficiency and less bandwidth.
Saving and storing information locally is known as caching. With Web caching,
copies of recently requested content are stored temporarily on a cache server in
locations that are topologically closer to the client. The content is then readily
available to be reused for subsequent client requests for the same content.
7-1
Chapter 7
Configuring Caching
Caching Overview
Content Caching
You can make Web caching cost-effective and more reliable by deploying Content
Caching in your network. By creating content rules to utilize your cache servers,
the CSS acts as a cache front end device by:
Bypasses the cache servers and forwards the request to the origin server if the
content is non-cacheable
7-2
78-13886-03
Chapter 7
Configuring Caching
Caching Overview
When the CSS directs the request to the cache server, the cache server either
returns the requested content (if it has a local copy) or sends a new request for the
content through the CSS to the origin server hosting the content. When the cache
sends a new request for content and receives a reply from the origin server, it
returns the response to the client. If the content is cacheable, the cache saves a
copy of the content for future requests.
When the requested content is found on a local cache server, the request is known
as a cache hit. When the requested content is not local and the cache initiates a
new request for the content, the request is known as a cache miss.
The following sections provide CSS examples of:
7-3
Chapter 7
Configuring Caching
Caching Overview
Router
Internet
Origin servers
CSS
Network Cache
67870
Clients
Figure 7-2 shows an example of a CSS 11506 and CSS 11503s in a reverse proxy
cache configuration.
7-4
78-13886-03
Chapter 7
Configuring Caching
Caching Overview
Figure 7-2
DNS
RPC
CSS 11503
Boston
RPC
Internet
2
DNS
CSS 11503
CSS 11503
London
Atlanta
RPC
Origin servers
DNS
RPC
67871
RPC
CSS 11506
San Jose
data center
RPC
7-5
Chapter 7
Configuring Caching
Caching Overview
CSS
Internet
Router
Network Cache
67872
Web servers
7-6
78-13886-03
Chapter 7
Configuring Caching
Caching Overview
Scalability
Redundancy
Transparency
Simplified administration
Internet
CSS
Web servers
Network Cache
CSS
CSS
Clients
67873
Remote access
servers
Clients
7-7
Chapter 7
Configuring Caching
Note
When using Content Caching, the keepalive type must be ICMP (default setting).
For a complete description of each caching command, see the sections following
Table 7-1.
Table 7-1
2.
Create an Extension Qualifier List (EQL) where you specify which content
types the CSS caches.
(config)# eql graphics
(config-eql[graphics])#
3.
Describe the EQL by entering a quoted text string with a maximum length
of 63 characters.
(config-eql[graphics])# description "This EQL specifies cacheable
graphic files"
4.
Specify the extension for content you want the CSS to cache. Enter a text
string from 1 to 8 characters.
(config-eql[graphics])# extension jpeg
7-8
78-13886-03
Chapter 7
Configuring Caching
Configuring Caching
Table 7-1
Specify the EQL in a content rule to match all content requests with the
desired extensions.
(config-owner-content[arrowpoint.com-rule1])# url "/*" eql
graphics
6.
Configure the load balancing method for the cache content rule. The default
is roundrobin.
(config-owner-content[arrowpoint.com-rule1])# balance domain
7.
Specify a failover type to define how the CSS handles content requests
when a service fails (bypass, next). The default is linear.
(config-owner-content[arrowpoint.com-rule1])# failover bypass
8.
9.
Configuring Caching
Configure caching using content rules. When creating caching content rules, the
additional configuration requirements involve:
Configure EQLs to identify file extensions that the CSS should direct to the
cache services
7-9
Chapter 7
Configuring Caching
Configuring Caching
Note
If you are running the Inktomi Traffic Server on a system that does not listen
in promiscuous mode and want to bypass the Inktomi Adaptive Redirect module
(that is, send traffic directly to port 8080 instead of port 80), specify the CSS
service type as type proxy-cache. Configuring the CSS service type to type
proxy-cache causes the CSS to perform full Network Address Translation (NAT)
when directing traffic to the Traffic Server.
The CSS recognizes and forwards the following HTTP methods directly to
the destination server in a transparent caching environment. However, the
CSS does not load balance these methods.
RFC-2068: OPTIONS, TRACE
RFC-2518: PROPFIND, PROPPATCH, MKCOL, MOVE, LOCK,
7-10
78-13886-03
Chapter 7
Configuring Caching
Configuring Caching
Note
To enable the CSS to redirect a request to a remote service when a request for
content matches the rule, you must specify a URL for the content rule.
Note
If you remove a service (using the remove service command) the CSS rebalances
the remaining services. The CSS does not use the failover setting.
This command supports the following options:
failover bypass - Bypass all failed services and send the content request
directly to the origin server. This option is used in a proxy or transparent
cache environment when you want to bypass the failed cache and send the
content request directly to the server that contains the content.
failover linear (default) - Distribute the content request evenly between the
remaining services.
failover next - Send the content requests to the cache service next to the
failed service. The CSS selects the service to redirect content requests to by
referring to the order in which you configured the services.
7-11
Chapter 7
Configuring Caching
Configuring Caching
Figure 7-5 shows three cache services configured for failover next. If ServerB
fails, the CSS sends ServerB content requests to ServerC, which was configured
after ServerB in the content rule.
ServerA
33%
ServerB
33%
ServerC
33% + 33%
CSS
67866
Figure 7-5
As shown in Figure 7-6, if ServerC fails, the CSS sends ServerC content requests
to ServerA because no other services were configured after ServerC.
ServerA
33% + 33%
ServerB
33%
CSS
ServerC
33%
67867
Figure 7-6
7-12
78-13886-03
Chapter 7
Configuring Caching
Configuring Caching
Figure 7-7 shows three cache services configured for failover linear (the
default). If you suspend ServerB or if it fails, the CSS does not rebalance the
services. It evenly distributes ServerB cache workload between servers A and C.
Note that Figure 7-7 and Figure 7-8 use the alphabet to illustrate division balance.
ServerA
A-H
+
I-M
ServerB
suspended
I-Q
CSS
ServerC
R-Z
+
N-Q
67868
Figure 7-7
Figure 7-8 also shows three cache services configured for failover linear, but in
this example, you remove ServerB using the remove service command from
owner-content mode. Because the CSS does not apply the failover setting when
you remove a service, it rebalances the remaining services.
ServerA
A-M
ServerB
removed
CSS
ServerC
N-Z
67869
Figure 7-8
7-13
Chapter 7
Configuring Caching
Configuring Caching
balance domain - Domain name division algorithm. The CSS divides the
alphabet evenly across the number of caches. It parses the host tag for the first
four letters following the first dot and then uses these characters of the
domain name to determine to which server it should forward the request. This
option is typically used in a caching environment.
Note
7-14
78-13886-03
Chapter 7
Configuring Caching
Configuring Caching
Note
balance srcip - Source IP address division algorithm. The CSS directs all
client requests coming from the same source IP address to the same service.
This option is generally used in a caching configuration.
balance url - URL division algorithm. The CSS divides the alphabet evenly
across the number of caches. It then parses the URL for the first four
characters located after the portion of the URL matched on by the rule. For
example, if the URL in a content rule is configured for /news/*, the CSS it
will balance on the first four characters following /news/. This option is
typically used in a caching environment.
balance urlhash - Internal CSS hash algorithm based on the URL string. The
CSS parses the URL and performs an XOR hash across the URL. It then uses
the XOR hash value to determine to which server to forward the request. This
method guarantees that all requests for the same URL will be sent to the same
server in order to increase the probability of a cache hit. This option is
typically used in a caching environment.
A Layer 5 content rule supports the HTTP CONNECT, GET, HEAD, POST,
PUSH, and PUT methods. The CSS recognizes and forwards the following HTTP
methods directly to the destination server in a transparent caching environment.
Note that the CSS does not load balance these HTTP methods. RFC-2068:
OPTIONS, TRACE; RFC-2518: PROPFIND, PROPPATCH, MKCOL, MOVE,
LOCK, UNLOCK, COPY, DELETE.
In a transparent caching environment (for example, no VIP address on a Layer 5
content rule), the CSS bypasses these HTTP methods, and they are forwarded to
the destination server.
7-15
Chapter 7
Configuring Caching
Configuring Caching
Note
If you have a configuration that requires a double-wildcard rule, be aware that the
client request will match on this rule when the client attempts to connect directly
to a server IP address.
7-16
78-13886-03
Chapter 7
Configuring Caching
Configuring Caching
To restore the CSS default behavior after issuing the no cache-bypass command,
enter:
(config-service[serv1])# cache-bypass
7-17
Chapter 7
Configuring Caching
Configuring Caching
Note
7-18
78-13886-03
Chapter 7
Configuring Caching
Configuring Network Address Translation Peering
Note
You can use the transparent-hosttag command only with a CSS operating in a
Client Side Accelerator (CSA) environment. For details on CSA, refer to the
Cisco Content Service Switch Advanced Configuration Guide.
For example, enter:
(config-service[serv1])# transparent-hosttag
To disable destination NATing for the transparent cache service type, enter:
(config-service[serv1])# no transparent-hosttag
Note
Note
Perform the final translation at the remote CSS, which allows return traffic
packets to flow to the client through any network path
Preserve the client IP address when forwarding traffic to the origin server
Adaptive Session Redundancy (ASR) does not support NAT Peering. For details
on ASR, refer to the Cisco Content Services Switch Advanced Configuration
Guide, Chapter 6, Configuring VIP and Virtual IP Interface Redundancy.
7-19
Chapter 7
Configuring Caching
Note
Spoofing occurs when a CSS requires information from the HTTP request, (such
as host tag, file name, file extension) in order to make a load balancing decision.
The server-side CSS preserves the client address and port. This allows the origin
server to maintain statistics based on the original traffic source addressing data,
and allows the return path to be independent of the forwarding path.
Figure 7-9 shows an example of NAT peering. The steps that follow describe this
example.
Figure 7-9
Source = 195.195.195.195
Destination = Client IP
4
Server side CSS
VIP - 200.200.200.200
6
Source = Client IP address
Destination = 195.195.195.195
Internet
1
2
Client side CSS
VIP - 195.195.195.195
6
Source = 10.3.6.58
Destination = Client IP address
Source = 195.195.195.195
Destination = 200.200.200.200
Origin server
10.3.6.58
67874
Owner - Boston
Content rule - rule1
5
3
7-20
78-13886-03
Chapter 7
Configuring Caching
Configuring Network Address Translation Peering
1.
2.
The client-side CSS matches the request to its content rule, which specifies a
service located on the server-side CSS (CSS2, VIP2 200.200.200.200). The
server-side CSS service is configured for service type nci-direct-return.
This service type informs the client-side CSS to include the NCI option in the
TCP packet sent to server-side CSS. If a Layer 5 rule is matched, the spoof
bit in the NCI option is set.
3.
The client-side CSS sends the TCP packet to the server-side CSS. Source
address group mapping maps the Client A source address and port to those
from the client-side CSS. The TCP packet contains the client-side CSS source
information,the server-side CSS destination information, and the original
source and destination information from Client A.
4.
The server-side CSS determines whether or not the spoof bit has been set in
the packet. If the bit is set, the CSS stores the NAT information until the
connection is spoofed. The server-side CSS sets up the forward and return
paths. The server-side CSS then matches the request from the client-side CSS
on a content rule.
Note
The server-side CSS (in Figure 7-9) would use the NCI option in a
packet if the VIP rule is directed at a local, proxy-cache, or
transparent cache service.
5.
The server-side CSS sends the request to the origin server with the destination
IP address translated to the origin server IP address and the source IP address
translated to the client IP address.
6.
The origin server responds directly back to Client A. As the packet flows
through the server-side CSS, that CSS translates the source IP address to the
CSS1 VIP. The destination IP address is the client IP address.
7-21
Chapter 7
Configuring Caching
When you configure the NCI service as nci-direct-return, the service must
be directed to the VIP on the server-side CSS to indicate an endpoint for the
connection. The server-side CSS always uses the nci-direct-return option to
modify the source address and port that the server sees. When the
nci-direct-return service is used on the client-side, the return path is modified
to directly return to the client.
When you are specifying an NCI service type, you must specify:
type nci-direct-return to represent a VIP on another CSS
type nci-info-only for any Web server
Table 7-2 describes the steps necessary to configure NAT peering using command
examples based on the configuration in Figure 7-9. Because NAT peering applies
to Layer 3 as well as Layer 5 rules, the port, protocol, and URL rule examples
shown in Table 7-2 are optional.
Table 7-2
7-22
78-13886-03
Chapter 7
Configuring Caching
Configuring Network Address Translation Peering
Table 7-2
On the client-side CSS (CSS1), create content rules with the criteria
required for the client-side CSS (CSS1) to forward traffic to the server-side
CSS (CSS2).
a. Create an owner.
CSS1 (config)# owner boston.com
7-23
Chapter 7
Configuring Caching
Table 7-2
On the client-side CSS (CSS1), create a source group for the client traffic.
CSS1 will translate the Client A IP address to the IP address defined in the
source group. To configure a source group:
a. Create the source group.
CSS1 (config)# group boston
CSS1 (config-group[boston])#
b. Define the CSS1 VIP as the IP address into which the Client A IP
4.
On the client-side CSS (CSS1), create an Access Control List (ACL) clause
to specify which source IP addresses use the source group. Note that clause
20 is a required clause that permits all other traffic. Without clause 20, all
traffic not defined in clause 10 is denied.
CSS1 (config)# acl 1
CSS1 (config-acl[1])# clause 10 permit tcp any destination
content boston.com/rule1 sourcegroup boston
CSS1 (config-acl[1])# clause 20 permit any any destination
any apply circuit-(VLAN1)
5.
7-24
78-13886-03
Chapter 7
Configuring Caching
Configuring Network Address Translation Peering
Table 7-2
On the server-side CSS (CSS2), configure content rules with the criteria
required to forward content requests to serv1.
a. Create an owner.
CSS2 (config)# owner boston.com
f. Define a URL.
CSS2 (config-owner-content[boston.com-rule1])# url /*
7-25
Chapter 7
Configuring Caching
7-26
78-13886-03
I N D EX
ACA
showing 5-27
cookies 4-4
overview 5-14
prefer option, using static proximity 5-23
agent
DFP 1-61, 1-64
IN-1
Index
arrowpoint cookie
clustering 7-7
7-18
configuring 4-28
hit 7-3
miss 7-3
caching 7-8
configuration quick start
configuring 7-9
audience xx
overview 7-1
proxy 7-3
reverse proxy 7-4
balance type
for DNS 3-25
load balancing 3-23
billing information, specifying for owner 2-4
bypass
caches 3-42, 7-11
for failover 3-42, 7-11
parameter bypass 3-46
persistence 3-35, 3-37
transparent caches 3-46
cache
IN-2
78-13886-03
Index
content
ACL 5-16
case-sensitivity 2-4
displaying 3-46
owner 2-2
service 1-4
showing 3-46
configuring
ACL 5-14
caching 7-9
case-sensitivity 2-4
failover 3-41
service 1-5
content rule
activating 3-21
78-13886-03
IN-3
Index
cookies
client 4-2
sticky 4-6
persistence 3-35
port information, configuring 3-23
primary sorry server, adding 3-18
protocol, configuring 3-22
purpose 1-2, 3-3
url 4-6
counters
content rule, clearing for 3-63
service, clearing for 1-34, 3-62, 3-63
DFP
showing 3-48
configuring 1-64
manager 1-60
messages 1-62
overview 1-60
suspending 3-21
IN-4
78-13886-03
Index
vectors 1-62
disabling
DQL
hotlist 3-26
portmap 5-7
configurations 5-47
creating 5-45
describing 5-45
DNS
documentation
audience xx
e-commerce
chapter contents xx
set xxi
domain
EQL
configuring 5-30
domain names
specifying 1-8
IN-5
Index
failover
hash
FTP
configuring 6-5
hotlist
content rules, configuring for 3-26
disabling 3-26
domains, configuring for 3-28
group
configuration mode 5-2
configuring for FTP 5-7
displaying 5-10
source 5-2
showing 6-9
enabling 3-26
HTTP
cookie, configuring for a service 1-10
keepalive, specifying a URI 1-20, 1-47
keepalive method 1-47
port number for global keepalives 1-48
IN-6
78-13886-03
Index
overview 6-2
keepalive
ACL example 5-29
Layer 3
sticky 4-4
IN-7
Index
Layer 4
load threshold
MD5 1-63
load
age out timer, configuring 1-41
configuring for FTP 5-8
configuring for services 1-38
N
NAT peering
configuring 7-22
functions 7-19
NQL
creating 5-40
IN-8
78-13886-03
Index
overview 5-39
protocol
content rule 3-22
UDP 1-8
owner
ACLs 5-16
caching 7-8
removing 2-6
owner 2-2
service 1-4
P
param-bypass 3-46
IN-9
Index
remapping
server
order in which types are hit 1-13, 3-16
removing
ACLs 5-26
roundrobin
least connection 3-24, 7-14
load balancing 3-24, 7-15
script keepalives
configuring 1-57
displaying 1-57
maximum keepalive types 1-55
overview 1-54
status codes 1-59
upgrading WebNS software 1-59
usage considerations 1-55
configuring 1-5
configuring cache bypass 7-18
configuring for NAT peering 7-22
counters, clearing 1-34, 3-62, 3-63
creating 1-6
global load reporting, configuring 1-40
global load threshold, configuring 1-39
HTTP cookie, configuring an 1-10
keepalive, configuring 1-16
scripts
script keepalives 1-54
secondary sorry server, adding to a content
rule 3-19
IN-10
78-13886-03
Index
replication-store 1-12
showing
ACLs 5-27
content 3-46
remapping 3-35
removing 1-26
removing from content rule 1-27
removing from source group 1-27
secondary sorry 3-19
service load, configuring 1-34, 1-38
showing configuration 1-27
showing load 1-42
specifying a protocol 1-8
specifying type 1-11, 7-10
suspending 1-26
weight, configuring 1-10
service type
local 7-10
nci-direct-type 1-11, 7-10
nci-info-type 1-11, 7-10
proxy-cache 1-12, 7-10
redirect 1-12
redundancy-up 1-12
IN-11
Index
sticky
sticky parameters
configuring 4-6
configuring for e-commerce 4-27
service 1-26
symbol overview xxiii
T
TCP
flow reset reject 3-34
IN-12
78-13886-03
Index
threshold
describing 5-37
transparent-cache
suspending 5-37
bypassing 3-46
specifying for service 7-10
U
W
UDP
port destination port number, specifying 1-7,
3-23
weight
URL
URQL
activating 5-37
adding to content rule 5-36
creating 5-33
X
XOR hash
used in domainhash balance algorithm 3-23,
7-14
IN-13
Index
IN-14
78-13886-03